Cisco's  stor!^  surprise 


En  garde! 


Locking  up  Linux 


The  company  is  said  to  be  readying  a  topof-  Amid  growing  concern  about  hacker  infiltrations  into  military 

theline  director-class  switch.  PAGE  8.  computers,  the  top  commander  for  the  Department  of 

Defense  network  operations  is  stepping  up  security  PAGE  8. 


Vendors  behind  the  major  commercial  Linux  distribu¬ 
tions,  including  Red  Hat  and  Novell,  will  be  increasing 
their  security  efforts  in  the  coming  months.  PAGE  16. 
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Chambers  defends 
Cisco’s  wide  reach 


CEO  John  Chambers  last 
week  to  talk  about  why 
Cisco’s  reaching  so  far  and 
how  its  moves  will  affect  cor¬ 
porate  customers. 

Can  you  rank  your  four  lines  of 
business  in  order  of  strategic  prio^ 
ity  and  growth  prospects? 

We  think  the  enterprise  net¬ 
work,  the  commercial/SMB  net¬ 
work,  the  consumer  network 
and  the  service  provider  net¬ 
work  will  completely  blur.  We’ve 
See  Chambers,  page  12 


Cisco  is  stretched 
in  many  direc¬ 
tions,  with  big  ini¬ 
tiatives  in  the  enterprise,  ser¬ 
vice  provider,  consumer  and 
small  to  midsize  business  mar¬ 
kets.  Add  to  this  the  company's 
$7  billion  purchase  of 
Scientific-Atlanta,  and  it’s  a 
plateful.  Network  World 
Editorial  Director  John  Gallant 
and  Managing  Editor  Jim 
Duffy  met  with  FYesident  and 


Nortel  road  map 
stresses  security 


BY  PHIL  HOCHMUTH 

Nortel  next  month  is  expected 
to  start  revitalizing  its  enterprise 
switching  business  by  introducing 
a  new  endpoint  security  product, 
which  may  be  followed  by  a 
series  of  LAN  resiliency  and  secu¬ 
rity  announcements  throughout 
the  year. 

The  new  Secure  Network  Access 
Switch  (SNAS)  is  an  appliance 
that  works  with  LAN  switches  to 
block  or  quarantine  potentially 
dangerous  devices  without  requir¬ 
ing  permanent  client  software  on 
PCs,  laptops  or  other  devices. 
Observers  say  this  clientless 
approach  gives  Nortel  a  competi¬ 
tive  multi-vendor  network  access 


control  (NAC)  offering. 

“Nortel  needed  to  do  something 
like  this,”  says  Zeus  Kerravala,  an 
analyst  with  The  Yankee  Group. 
After  a  tumultuous  year  of  execu¬ 
tive  shakeups,  laying  out  a  switch¬ 
ing  road  map  with  a  focus  on 
security  should  help  —  at  least 
somewhat  —  to  eliminate  con¬ 
cerns  about  the  vendor’s  enter¬ 
prise  intentions. 

Additional  announcements  ex¬ 
pected  from  Nortel  include  the 
ability  to  mn  full  Check  Point  fire¬ 
wall  or  Sourcefire  intrusion-detec¬ 
tion  system  (IDS)  and  intrusion- 
prevention  system  (IPS)  packet 
inspection  on  every  port  on  core 
Nortel  switches.  Also  planned  is 


near-SONET-speed  failover  for 
switches  with  Nortel’s  redundancy 
protocol.  Split  Multi-Link  Trunk¬ 
ing,  as  well  as  added  support  for 
SMLT  across  more  product  lines. 

Nortel’s  SNAS  —  in  beta  and  set 
See  Nortel,  page  10 

On  tap  from  Nortel 

LAN  product  and  feature 

upgrades  expected  in  '06 

include: 

•  LAN-based  endpoint  security. 

•  Switch  port-level  firewall/IDS. 

•  SONET-speed  Ethernet  failover. 

•  Wider  fast-failover  support. 
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WEB  FRONT- 
END  DEVICES 


IETF  hums  along  at  20 

Standards  body  has  had  its  quirky  moments,  . 
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In  the  industry’s 
first  comprehensive 
test  of  the  perform¬ 
ance  of  Web  front- 
end  devices,  we  found  the  benefits 
of  app  acceleration  are  real,  but 
there's  a  trade-off  between  speed 
and  scalability.  Page  38. 


Go  online  for  product-by-product 
breakdowns  for  Array,  Citrix, 
Crescendo  Networks,  E5  Networks, 
Foundry  Networks  and  Juniper 
Networks.  iinvw.Mtworkworid.ciHB, 
DocRfldor:  1741. 


BY  CAROLYN  DUFFY  MARSAN 

From  a  notorious  striptease  by 
Internet  pioneer  Vint  Cerf  to 
a  fist-pumping,  table¬ 
jumping  brawl  about  cryptog¬ 
raphy  policy,  the  Internet’s 
premier  standards-setting 
body  has  had  its  share  of 
big  moments. 

This  week,  the  IETF  cele¬ 
brates  another  one  when  it 
turns  20. 

See  IETF,  page  14 
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A  Service  Managing  7  Million  Transactions  a  Day. 

Running  on  Microsoft  SQL  Server  2005. 
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How  does  Xerox  Global  Services  manage  millions  of  office  devices  for  its  customers? 
Their  largest  application  runs  on  new  SQL  Server™  2005  64-bit  running  on  Windows 
Server™  2003,  which  provides  99.999%  uptime^  See  how  at  inicrosoft.com/bigdata 
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Windows 
Server  System 
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You  need  a  darn  good  reason 
to  introduce  another  vendor 
into  your  network.  Here  are  four. 

Our  intelligent  overlay  network 
delivers  automated  core-to-edge 
security.  It's  based  on  an  open 
architecture.  It  optimizes 
applications.  It  makes  VoIP  possible 
on  your  existing  infrastructure. 

And  that  is  just  the  beginning. 


3com.com/AdvanceTheNetwork 
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security 

VoIP 
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Copyright  C  2005  3Com  Corporation  All  rights  reserved.  Xom  and  the  3Conn  logo  are  registered  trademarks  of  3Com  Corporation 
All  other  company  ar>d  product  names  may  be  trademarks  of  their  respective  companies. 
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8  Military  clamping  down  on  security. 

8  Cisco  readies  storage  switch. 

10  Symantec,  Kaspersky  criticized  for  cloaking  software. 
16  Aruba,  Meru  air  WLAN  wares. 

16  Linux  vendors  stepping  up  security  focus. 

56  Group  poiicy  vendors  adding  better  controls. 


Net  Infrastructure 

17  Branch  nets  get  integrated  help. 

17  Yahoo,  Sheraton  offer  Wi-Fi 
lounge. 

20  NetPro  offers  protecbon  for 
Active  Directory. 

20  Start-up  offers  tool  for  security 
analysis. 
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33  AJAX  accelerates  Web  applications. 
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In  the  industry’s  first 
comprehensive  test  of 
Web  front-end  perform¬ 
ance,  we  found  that 
the  benefits  of  app  acceleration  are  real. 

But  there's  a  trade-off  between  speed  and 
scalability.  Page  38. 


Test  results  for  compression.  Page  39. 


Enterprise  Computing 

22  EMC  girds  for  grid  computing. 

22  More  office  applications  squeezed 
into  USB  drives. 

Application  Services 

23  E-commerce  goes  contactless. 

23  Microsoft  wins  over  retailer 
Target. 

24  Scott  Bradner:  Blocking  the 
power  of  the  Internet. 

28  SPECIAL  FOCUS;  Better  manage 
merit  through  best  practices. 

Service  Providers 

29  FDA  turns  to  Verizon  for  VoIP 
rollout. 


Opinions 

36  On  Technology:  Soft  tokens  at 
the  new  Interop  show. 

37  Chuck  Yoke:  Visit  the  IT  SPA  in 
2006. 

37  Daniel  Briere:  Moore's  Law. 
Metcalfe's  Law;  now  McGuire’s. 

58  BackSpin:  Mistakes  and 
annoyances. 

58  Net  Buzz:  Did  you  hear  who’s 
hanging  around  Redmond? 

Management 

Strategies 

50  Campus  creates  a  collabora¬ 
tive  IT  culture:  University  of 
Maryland,  Baltimore  CIO  Peter  Murray 
discusses  how  he  achieved  that  goal. 


Test  results  for  TCP  multiplexing.  Page  42. 


Go  online  for  product-by-product  break¬ 
downs  for  Array,  Gitrix,  Crescendo 
Networks,  F5  Networks,  Foundry 
Networks  and  Juniper  Networks. 

www.networkworld.coin,  DocFinder:  1741 


29  Banner  year  expected  for 
convergence. 

32  Johna  Till  Johnson;  A  final  look 
back  at  '05  prognostications. 
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Network  World  ITVidee:  Cool  Tools 
on  wireless  music 

Cool  Tools  Editor  Keith  Shaw  says 
you  can  free  yourself  from  the 
computer  and  listen  to  your  PC- 
based  music  on  virtually  any  stereo 
in  the  house  —  without  needing  a 
network  —  with  the  Logitech 
Wireless  Music  System.  Watch  his 
demonstration  at: 

DocHnder:  1750 

Gibbsbiog;  The  myth  of  the  digital 
lifestyle 

Columnist  Mark  Gibbs  is  tired  of 
industry  execs  talking  about  the 
wired  home.  Some  readers  are,  too 
—  because  like  Gibbs,  they  want 

Online  help  and  advice 


When  the  laptop  keeps  disconnect¬ 
ing  from  wireless 

Help  Desk  Editor  Ron  Nutter  helps  a 
user  who  wonders  why  his  Windows 
XP  laptop  keeps  getting  kicked  off 
his  networks, 

DocHnder:  1754 

Readers  check  in  on  the 
wireless  woes 

Some  of  Nutter's  readers  have  their 
own  suggestions.  Read  them  and 
add  your  own.  DocHnder.  1755 


Seminars  and  events 


stuff  that  actually  works, 

DocHnder:  1751 

Chinese  domain-name  registration 

Columnist  James  Gaskin  notices  that 
the  number  of  domain  names  regis¬ 
tered  in  China  has  topped  1  million. 
That  makes  him  both  nervous  and 
optimistic. 

DocHnder:  1752 

Management  Notes 

A  lot  happens  in  network  and  sys¬ 
tems  management.  Senior  Editor 
Denise  Dubie  keeps  you  up-to-date 
with  daily  Management  Notes  posts. 

DocHnder  1753 


Measuring  your  WAN  apps 

Analyst  Robin  Gareiss  discusses  a 
new  service  from  Masergy  that  lets 
you  gauge  the  performance  of  appli¬ 
cations  on  your  WAN  in  real  time. 

DocHnder:  1756 

Got  a  question? 

Post  it  in  our  forums  and  get  help. 
We've  got  all  the  key  enterprise 
topics  covered.  Free  registration  is 
required  (helps  keep  the  spammers 
at  bay  and  lets  you  get  notification 
of  replies  to  your  posts). 

DocHnder:  1757 


Who’s  the  new  driver  of  IT  in  the  enterprise  today? 

Do  you  deal  with  automation,  compliance  and  integration,  and  make  decisions 
that  affect  applications,  processes  and  security?  Then  don’t  miss  Network 
Management:  The  New  (lore  Competency,  the  new  Technology  Tour  event  com¬ 
ing  to  New  York,  Denver,  Houston  and  Washington,  D.C.  Be  there  compliments 
of  Network  World.  For  details  visit  DocHnder;  1758 


COOLTOOl^ 

Tlw  Logitech  Wireless  Musk 
^en  lets  you  stream  musk 
stored  on  a  PC  te  any  stereo 
system  within  a  330-foot  raiDus. 
Page  34. 
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We’ve  made  it  easy  to  access  articles  and  resources 
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Glaflin  to  step  down  as  3Com  CEO 

■  3Com  President  and  CEO  Bruce  Claflin  last  week  announced  plans  to  retire,  leav¬ 


TheGoodTheBadTheUgly 


ing  an  open  timetable  for  when  he  will  step  down  as  the  company  begins  the 
search  process  for  his  successor.  Claflin  joined  3Com  as  president  and  COO  in  1998 
and  took  over  as  CEO  in  2001.  Over  the  past  four  years,  3Com  has  operated  in  the 
red,  but  its  losses  shrank  from  $349  million  in  its  fiscal  year  2004  to  about  $195  mil- 


IBM  remains  patent  king.  The  u  s  Patent  and 

Trademark  Office  last  week  said  IBM  last  year  once  again  received 
more  U.8.  patents  than  any  other  company,  the  13th  straight  year  this 
has  happened.  IBM,  which  was  awarded  2,941  patents,  says  it  is  under¬ 
taking  an  effort  with  the  Patent  Office  and  Open  Source  Development 
Labs  to  boost -patent  quality. 


lion  in  2005.  Claflin  has  stated  that  he  expects  the  company  to  be  profitable  by  2007. 
Claflin  was  largely  behind  3Coms  pullout  from  the  high-end  switching  and  rout 
ing  market  in  2000.  He  oversaw  the  divestment  of  its  carrier  business 
Comm  Works  and  the  company’s  transformation  after  the  dot-com  crash 
into  a  small  and  midsize  business  and  consumer-focused  network  compa¬ 
ny,  with  such  products  as  broadband  gear  and  the  Audrey  Internet-radio 
appliance.  He  also  helped  engineer  the  company’s  more  recent  efforts  to  re¬ 
establish  its  large  corporate  market  presence,  including  a  joint  venture  with 


Ex-IBM  GEO  dies.  Frank  Cary,  who  was  chairman  and  GEO 
of  IBM  from  1973  to  1981,  died  Jan,  1  at  the  age  of  85.  He  led  the 
company  during  challenging  times,  dealing  with  anti-trust  law¬ 
suits  and  rising  competition  from  Japanese  firms, 

<  Cookies  crumbie  at  NSA.  The 

National  Security  Agency  last  week  acknowledged 
that  it  accidentally  had  been  using  cookies  on  its  site 
that  could  be  used  to  track  visitors'  Web  surfing  ac¬ 
tivities,  according  to  the  Associated  Press,  AP  report¬ 
ed  that  the  cookies,  which  the  NSA  said  were  the  result  of 
a  software  upgrade,  disappeared  after  a  privacy  activist 
complained  and  the  AP  made  inquiries. 


Chinese  network  giant  Huawei  Technologies. 


Report:  Deal  for  Cisco  and  EDS 

■  Cisco  and  Electronic  Data  Systems  are  close  to 
landing  a  $15  billion  network  upgrade  and  outsourc¬ 
ing  deal  with  General  Motors,  a  financial  analyst 
reported  last  week.  Merrill  Lynch  research  analyst  Tal 
Liani  issued  a  report  on  the  potential  five-year  con¬ 
tract,  which  would  involve  the  installation  and  man¬ 
agement  of  new  Cisco  IP  data  and  voice-network  gear 
by  integration  giant  EDS.  Cisco  declined  to  comment. 
The  report  says  that  GM  is  looking  to  upgrade  to  a  cor¬ 
poratewide  IP  telephony  infrastructure  and  to  consol¬ 
idate  its  data  centers  with  Cisco  equipment.  The  IP 
voice  part  of  such  a  contract  would  be  huge  for  Cisco, 
Liani  writes,  as  “GM  currently  has  over  200,000 
employees  in  North  America.  And  at  a  price  of  around 
$200  per  Cisco  IP  phone,  this  implies  $40  million 
worth  of  revenue  simply  for  upgrading  GM’s  phones.” 
The  deal’s  estimated  size  also  does  not  account  for  IP 
PBX,  power-over-Ethernet  switches,  routers,  VoIP  gate¬ 
ways  and  other  gear  that  would  be  required  for  such 
a  large-scale  project,  the  report  says. 

Another  storage  tape  missing 

■  A  computer  tape  from  a  Connecticut  bank  con- 

ohbi  compendium 

RoboRoaches 

Japanese  researchers  have  successfully 
replaced  cockroach  antennae  and  wings  with 
tiny  "backpacks,"  through  which  they  can 
control  the  insects’  movements  remotely. 

Find  out  more  at  www.network 
world.com,  DocFinden  1749. 


“We  have  nation  states  that 
have  information  warfare  as 
one  of  their  key  military  compo- 
nents.They’re  after  getting  into 
the  best  network  in  the  world, 
and  that’s  ours.” 

U.  Gen.  Charles  Groom,  director  of  the  Defense  Information 
Systems  Agency.  See  story  page  8. 


taining  the  personal  data  of  90,000  customers  was 
lost  in  transit  recently,  the  bank  reported  last  week.The 
tape  contains  information  such  as  names,  addresses. 
Social  Security  numbers  and  checking  account  num¬ 
bers.  It  was  bound  for  the  TransUnion  credit-reporting 
bureau  in  Woodlym,  Pa.,  via  UPS. The  bank  says  it  has 
not  received  any  reports  of  unauthorized  activity  on 
the  affected  accounts  and  has  no  reason  to  believe 
the  data  has  been  used  improperly  The  bank  consid¬ 
ers  misuse  of  the  data  “highly  unlikely  Loss  and  theft 
of  personal  data  has  taken  on  a  high  profile  since  the 
theft  of  145,000  consumers’ data  from  credit  and  per¬ 
sonal  information  vendor  ChoicePoint  in  February 
2005.  There  have  been  dozens  of  reported  cases  of 
loss  or  theft  of  personal  information  since,  involving 
more  them  52  million  people, according  to  a  chronol¬ 
ogy  compiled  by  the  Privacy  Rights  Clearinghouse. 

WLAN  spec  garners  agreement 

■  An  industry  group  seeking  common  ground  on  the 


emerging  IEEE  802.1  In  high-speed  wireless 
IAN  specification  has  agreed  on  a  compromise  pro¬ 
posal  that  may  form  the  basis  of  a  final  standard.  Last 
week  the  Enhanced  Wireless  Consortium,  which 
includes  backers  of  all  the  major  factions  in  the  fight 
over  how  to  boost  the  speed  and  range  of  WLANs, 
approved  the  proposal  by  a  unanimous  online  vote 
with  two  abstentions,  according  to  Bill  McFarland, 
CTO  at  Atheros  Communications,  a  semiconductor 
vendor  that  belongs  to  the  group. The  802.1  In  stan¬ 
dard  is  intended  to  be  the  next  step  up  in  WLANs, 
offering  throughput  of  more  than  100Mbps  and  sup¬ 
port  for  multiple  VoIP  and  video  streams.  But  the  road 
to  a  standard  has  been  long  and  rocky  The  joint-pro¬ 
posal  group  was  formed  in  the  middle  of  last  year 
after  none  of  the  plans  that  had  been  proposed  could 
garner  enough  votes  for  approval. 

‘Google-killer’  goes  into  hiding 

■  A  project  to  develop  advanced  multimedia  search 
technologies  led  by  France’s  electronic  giant 
Thomson  has  gone  into  hiding  in  the  face  of  intense 
publicity  that  it  is  building  a  “Google-killer”  that  will 
help  to  improve  Europe’s  standing  in  the  high-tech 
world.  The  project,  called  Quaero,  found  itself  in  the 
spotlight  following  remarks  by  French  President 
Jacques  Chirac  in  a  speech  laying  out  his  agenda  for 
France  in  2006.“We  must  take  up  the  challenge  posed 
by  the  American  giants  Google  and  Yahoo,”  Chirac 
said,  discussing  the  importance  of  technology  to 
Europe’s  economy.  “For  that,  we  will  launch  a 
European  search  engine,  Quaero.”There  was  talk  of  a 
coming-out  party  next  month  where  Quaere’s  goals 
would  be  described  in  more  detail,  although  a 
spokeswoman  for  the  project  said  no  event  has  been 
planned.  The  scrutiny  w^  apparently  too  much  for 
Thomson’s  chairman,  Frank  Dangeard,  who  imposed 
a  “news  blackout”  on  Thomson’s  media  staff  and 
ordered  the  project’s  Web  site  to  be  taken  offline. 


We  never  stop  wotking 
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One  productive  device. 

One  standard  operating  system. 
One  less  thing  to  worry  about. 
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Verizon  Wireless 


George's  birthday 

Forecasting  Meeting  ^ 

9;Q0AM-10:O0am 

*Oi^itlook  E-mail:’ 14  Unread 


Messaging 


Treo™  700w  smartphone 
BroadbandAccess  and  Windows  capable 


Introducing  the  first  Treo  smartphone  to  run  on 
Microsoft  Windows  Mobilef  Exclusively  from  Verizon  Wireless. 


Only  Verizon  Wireless  has  the  Treo™  700w  smartphone,  the  first  Treo  to  run  mobile  versions  of  Microsoft  Outlook  and  Office 
applications.  By  using  the  same  superior  software  platform  you  use  in  the  office,  it  allows  for  a  simpler,  smoother 
and  more  efficient  standardized  integration  for  you  and  your  employees.  It's  also  the  first  Treo  to  run  on 
BroadbandAccess,  the  nation's  largest  high-speed  wireless  broadband  network.  Verizon  Wireless.  It's  the  Network?“ 
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Military  clamping  down  on  security 


BY  ELLEN  MESSMER 

PALM  HARBOR,  Fla.  —  Amid 
growing  concern  about  hacker 
infiltrations  into  military  comput¬ 
ers,  the  top  commander  for  the 
Department  of  Defense  network 
operations  has  ordered  a  crack¬ 
down  on  security. 

Lt.  Gen.  Charles  Croom,  com¬ 
mander  of  the  Joint  Task  Force 
on  Global  Network  Operations 
(jTF-GNO)and  director  of  the 
Defense  Information  Systems 
Agency  (DISA),  last  week  said  a 
sweep  is  under  way  of  all  De¬ 
fense  Department  net¬ 
works  to  uncover 
security  holes  amid  a 
get-tough  policy 

“The  attacks  are 
coming  from  every¬ 
where  and  they’re  get¬ 
ting  better”  said  Croom 
in  his  keynote  address 
at  the  Department  of 
Defense  Cyber  Crime 
Conference  in  Palm 
Harbor,  Fla.,  last  week. 

“They’re  exploiting 
weaknesses  in  our 
detection  tools.” 

The  discovery  of  a  botnet  last 
November  in  Defense  Depart¬ 
ment  networks  contributed  to  the 
decision  to  clamp  down  security. 
Jeanson  James  Ancheta,  20,  was 
arrested  by  the  FBI  for  allegedly 
implanting  and  running  the  re¬ 
motely  controlled  spyware  inside 
the  department  and  elsewhere. 

“It  started  on  Nov.  5  with  an 
information  assurance  stand- 
down  day’ Croom  told  the  rough¬ 
ly  500  conference  attendees.  The 
military  stand-down  —  a  cessa¬ 
tion  of  regular  activities  in  order 
to  probe  security  problems  —  is 
ongoing  as  DISA  attempts  to  veri¬ 
fy  the  tens  of  thousands  of  user 
accounts  for  Army,  Navy  and  Air 
Force  personnel. 

No  good  news 

So  far,  the  results  are  troubling. 

“Almost  20%  of  our  accounts 
are  unauthorized  or  had  ex¬ 
pired,”  Croom  said,  noting  that 
military  personnel  tend  to  move 
every  two  or  three  years  and 
accounts  are  sometimes  left 
open. The  exact  tally  of  improper 
accouiits  won’t  be  known  until 
March,  he  said. 

In  addition,  the  military  is 
increasingly  fending  off  targeted 
phi.shing  attempts  in  which 


attackers  try  to  spoof  victims  into 
giving  up  passwords. 

Back  doors  left  open  by  not 
properly  shutting  down  network 
circuits  also  are  of  concern  to 
Croom,  who  has  held  the  top 
job  in  Defense  Department  net¬ 
work  operations  since  July, 
when  he  succeeded  Lt.  Gen. 
Harry  Raduege.  Croom  said  the 
paperwork  for  circuits  must  be 
in  order  or  the  circuit  will  be 
shut  down. 

“Last  week  we  closed  down 
four  circuits  to  users,”  Croom 
said,  though  not  iden¬ 
tifying  the  exact  loca¬ 
tions.  “Now  1  get  an  e- 
mail  saying  the  paper¬ 
work  will  be  in  toda/ 
This  get-tough 

approach  is  needed  to 
put  teeth  into  already 
existing  policy. 

A  united  front 

The  biggest  changes 
to  come  may  be  in 
the  next  six  months  as 
the  JTF-GNO,  the  orga¬ 
nization  set  up  to  centralize 
decisions  about  security  and 
operations  in  the  Army,  Navy  Air 
Force  and  Marines,  evaluates  a 
possible  redesign  of  its  two  pri¬ 
mary,  global,  IP-based,  military 
networks. 

The  Non-Secure  Internet  Proto¬ 
col  Router  Network  (NIPRNet)  is 
used  for  unclassified  communi¬ 
cations  while  the  Secret  IP 
Router  Network  (SIPRNet)  is 
used  for  classified  communica¬ 
tions. 

“DISA  wants  to  redesign  these 
networks  with  security  as  the 
upfront  criteria,”  Croom  said. 

The  decades-old  NIPRNet  is  a 
non-homogeneous  combination 
of  more  than  1,500  networks, 
Croom  said,  adding  that  he 
helped  wire  some  of  it  by  hand. 
The  SIPRNet  has  better  security 
at  its  perimeter  but  also  could 
benefit  from  internal  partition¬ 
ing,  he  said. 

One  difficulty  is  that  the  De¬ 
fense  Department  has  basically 
no  end-to-end  network  manage¬ 
ment, Croom  said, adding  that  he 
hoped  this  would  be  part  of  the 
architectural  changes  under 
review  in  the  next  six  months. 

In  addition  to  the  security 
crackdown,  the  Defense  Depart¬ 
ment  Cyber  Crime  Conference 


highlighted  other  advances  for 
the  department. 

The  Defense  Cyber  Crime  Cen¬ 
ter,  in  Baltimore,  which  carries 
out  computer  forensics  work  for 
the  military,  announced  its  lab 
methodologies  and  standards 
earned  it  the  accreditation  of 
the  American  Society  of  Crime 
Laboratory  Directors  (ASCLD), 
making  it  one  of  only  six  com¬ 
puter  forensics  labs  in  the  coun¬ 
try  to  hold  that  distinction. 

“This  can  give  the  [Defense  De¬ 
partment’s]  leadership  the  confi- 


BY  DENI  CONNOR 

Nearly  three  and  a  half  years 
after  announcing  a  high-end  stor¬ 
age  switch,  Cisco  says  the  market 
is  finally  ready  for  it. 

Sources  say  the  company  which 
is  already  among  the  market  lead¬ 
ers  in  storage  switching,  is  expect¬ 
ed  to  introduce  as  soon  as  April  a 
528-port  Fibre  Channel  device 
designed  to  help  companies  con¬ 
solidate  their  storage-area  net¬ 
works  (SAN)  and  avoid  over-sub- 
scribing  ports  on  smaller  switch¬ 
es.  Cisco  declined  to  comment. 

The  Cisco  MDS  9513  MultiLayer 
Director  originally  debuted  in 
August  2002  when  Cisco  said  it 
was  getting  into  the  Fibre  Channel 
switch  market.  But  the  company 
decided  to  hold  the  then  256-port 
MDS  9513  off  the  market  because 
of  lack  of  demand  for  so  dense  a 
switch,  a  Cisco  spokesman  says. 

“Cisco  waiting  to  do  a  4Gbps  x 
528-port  switch  makes  a  lot  of 
sense,”  says  Greg  Schulz,  senior 
analyst  with  Storage  10.  “Keep  in 
mind  that  the  256-port  market  is 
just  now  in  prime  time.” 

The  switch,  in  beta  test,  features 
13  slots  and  528  4Gbps  Fibre 
Channel  ports.  It  tops  Cisco’s  cur¬ 
rent  high-end  offering,  a  224-port 
device,  and  surpasses  McData’s 
256-port  Intrepid  10000  Director. 
Like  Cisco’s  other  Fibre  Channel 
switches,  it  is  expected  to  support 
not  just  Fibre  Channel  but  also 
protocols  such  as  iSCSI  and  Fibre 
Channel  over  IP  It  also  will  sup¬ 
port  intelligent  storage  services 
such  as  virtualization,sources  say 

The  desire  to  get  away  from 
over-subscribing  current  switches 
could  be  a  powerful  selling  factor. 


dence  that  they  have  experts  in 
their  line  of  work,”  said  Lt.  Col. 
Kenneth  Zatyko,  director  of  the 
Center’s  Defense  Computer 
Forensics  Laboratory 

A  big  step 

Steve  Shirley,  executive  director 
of  the  Defense  Cyber  Crime 
Center,  said  the  ASCLD  accredita¬ 
tion  is  an  important  step  because 
it  is  valued  by  the  court  system 
when  digital  evidence  is  exhibit¬ 
ed  in  a  criminal  case. 

The  Defense  Department  and 


observers  say 

“Over-subscription  makes  sense 
if  you  can  manage  and  allocate 
the  tiered  ports  similar  to  how  it  is 
done  in  the  LAN  world,”  Schulz 
says.  “However,  it  has  also  been  a 
contentious  topic  among  storage 
administrators,  some  of  whom 
have  seen  it  as  a  cardinal  sin  in 
I/O  configuration.” 

SAN  consolidation  also  could 
generate  demand. 

“Our  move  to  [128-port]  direc¬ 
tor-class  MDS  9509s  from  the  core- 
to-edge  scenario  has  brought 
ease  of  provisioning,  ease  of  use 
and  less  complexity  to  our  envi¬ 
ronment,”  says  Michael  Passe,  stor¬ 
age  architect  for  Caregroup/Beth 
Israel  Deaconess  Medical  Center, 
in  Boston.  “I  would  imagine  that 
the  MDS  9513  would  do  the  same 
for  people  with  higher  numbers 
of  hosts,  who  would  like  to  move 


the  Department  of  Justice  also 
are  working  together  to  define 
possible  requirements  to  certify 
computer  forensics  examiners 
because  there  is  no  recognized 
authority  for  this  type  of  expert, 
although  a  handful  of  universi¬ 
ties  now  have  programs  for  this 
position. 

“In  air  flight,  the  first  aviators 
didn’t  have  a  pilot’s  license,” 
Shirley  said.  “We’re  sort  of  in  the 
same  stage  of  development 
when  it  comes  to  digital  forensics 
examiners.”  ■ 


away  from  the  core-toedge  de¬ 
sign  they  might  have  used  in  the 
past,  and  consblidate  on  a  single 
backplane.” 

Cisco’s  entry  into  Fibre  Channel 
storage  in  2003  had  considerable 
impact  on  the  director-class  mar¬ 
ket.  In  the  fourth  quarter  of  2004, 
barely  one  and  a  half  years  after 
entering  the  market,  Cisco  and 
McData  tied  for  market  share 
leadership  with  32.6%,  according 
to  The  Yankee  Group.H 
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Storing  up  the  switch 

Get  Senior  Editor  Deni  Connor's  opinion  of 
Cisco’s  move  in  her  blog. 

DocHiider.  1759 


Lt.  Gen.  Charles 
Groom  is  overseeing 
an  overhaul  of  the 
Defense  Depart¬ 
ment's  networks. 


Cisco  readies  storage  switch 

Sweet  on  storage 

A  look  at  Cisco's  key  storage  moves. 

Acquires_Nu8peed  and  its  Fibre  Channel-to-IP  router.  July  2000 


Introduces  SN  5420  Storage  Router 

April  2001 

Introduces  8N  5428  Storage  Router. 

May  2002 

Introduces  Fibre  Channel  directors  and  switches. 

August  2002 

Acquires  Andiamo,  intelligent  switch  technology. 

August  2002 

‘Captures  17.2%  of  the  director-class  switch  market,  up  from 
0%  two  years  earlier. 

Harcli  2004 

Acquires  wide-area  file  services  vendor  Actona. 

June  2004 

Partners  with  IBM  to  put  virtualization  on  Cisco  MDS  9000. 

July  2004 

‘Tied  with  McData  for  the  leading  share  of  the  director-class 
switch  market,  with  nearly  33%. 

December 

2004 

Acquires  InfiniBand  vendor  Topspin . 

April  2005 

‘  Source  for  market  share  numbers;  The  Yankee  Group. 
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Remote  KVM~  via  IP 


Manage  an  entire  room  full  of  Windows  and  Linux  servers 
from  a  single  desktop,  from  anywhere  over  the  Internet. 

•  Eliminate  need  for  multiple  keyboards, 
monitors  and  mice 

•  No  client  software  required 


Remote  Power  Managers 


Secure  Console  Managers 

Remotely  manage  Linux™,  Unix®  and  Windows®  2003 
servers,  routers,  switches,  telecom  and  building 
access  equipment,  complete  with  BIOS-level  control. 

•  Respond  faster  and  reduce  downtime 

•  Consolidate  resources  and  minimize  costs 


Stay  cool. 

Be  remote. 

SecureLinx 


Secure  Management  Appliance 

Seamlessly  integrate  equipment  connected  by 

console  servers,  KVMs  and  remote  power  managers. 

•  Consolidate  management  of  IT 
infrastructure  from  a  central  point  of 
access  through  a  simple  browser  interfece 

•  Reduce  equipment  maintenance, 
diagnosis  and  repair  time 


Lantronix  Lets  You  Control  Your  Data  Center  From  Anywhere  - 
Without  Breaking  A  Sweat. 

Are  you  going  to  blow  your  cool  sweating  over  racks,  loading  software,  checking 
power  and  rebooting  computers  when  there’s  sooooo  many  better  things  to  do  in  life? 


Control  the  power  individually  to  every 
device  in  the  data  center  via  a  web  browser. 

•  Reboot  systems  remotely 

•  Ensure  safe  power  distribution  and  reduce 
in-rush  overload 


Don’t  bother.  You  just  need  Lantronix. 

With  SecureLinx  and  its  “lights  out”  remote  data  center  management,  you’re  in  total 
control  of  your  servers  and  IT  equipment  from  a  single  interface,  from  anywhere  at  any  time  -- 
just  the  way  you  like  it.  Plus,  you  get  total  out-of-band  access  if  the  network  is  down. 

Thousands  of  customers  give  Lantronix  props  for  security,  reliability  and  performance. 

And  only  Lantronix  gives  you  a  NIST-certified  implementation  of  the  Advanced  Encryption 
Standard  (AES)*  plus  SSL  and  SSH.  With  more  than  fifteen  years  of  experience  and  millions 
of  networked  devices,  we’ve  got  your  back.  Lantronix  makes  it  easy  to  stay  cool. 


Get  your  Secure 
Remote  Management 
White  Paper  at 
www.lantronix.com 


LANT^IX' 

Network  anything.  Network  everything- " 


*NIST-cntified  implementation  of  AES  as  specified  by  FIPS-197. 

O  Lantronix.  Inc.,  2005.  Lantronix  is  a  registered  trademark,  and  SecureLinx  is  a  trademark  of  Lantronix.  Inc.  All  other  marks  are  property  of  their  respective  ovvners. 


www.lantronix.com  I  800.422.7055 
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Nortel’s  protectioii  plan 


Nortel  is  introducing  a  network  access  control  (NAC)  product  designed  to  block  access  on 
infected  PCs  and  laptops  without  installing  permanent  software  clients  on  them. 
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Nortel  Secure  Network 
AccessSwitch  q 


Wiring  cioset  switch 


B 


switch 


Enterprise 

network 
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Q  A  user  attaches  to  the  network  and  is  directed  to  the  Secure  Network  Access  Switch  (SNAS).  Windows-based  logon/bassword 
information  is  passed  from  client  to  the  SNAS.  Non-Windows  clients  authenticate  through  a  Web  browser^ _ 

B  The  SNAS  downloads  a  temporary  Java-based  applet  that  inspects  the  machine  and  gathers  data  from  locally  installed  anti-virus 
clients  from  other  vendors. 

B  If  the  data  is  verified,  the  SNAS  directs  the  wiring  closet  switch  to  grant  access  to  the  network. 


Symantec, 
Kaspersky 
criticized 
for  cloaking 
software 

BY  ROBERT  MCMILLAN,  IDG 
NEWS  SERVICE 

The  Windows  operating  system 
expert  who  exposed  Sony  BMG  ' 
Music  Entertainment’s  use  of  root- 
kit  cloaking  techniques  last  year  is  ' 
now  criticizing  security  vendors 
Symantec  and  Kaspersky  Lab  for  I 
shipping  software  that  works  in  a  I 
similar  manner.  i 

Mark  Russinovich,  chief  soft-  | 
ware  architect  with  systems  soft-  i 
ware  company  Winternals  Soft-  j 
ware,  says  the  techniques  used 
by  Symantec’s  Norton  System- 
Works  and  Kaspersky’s  Anti-Virus 
products  are  rootkits,  a  term 
usually  reserved  for  the  tech¬ 
niques  used  by  malicious  soft-  1 
ware  to  avoid  detection  on  an 
infected  PC. 

There  is  “no  good  justification,” 
for  using  such  techniques, 
Russinovich  says. 

Both  Symantec  and  Kaspersky 
concede  that  they  have  shipped 
software  that  hides  information 
from  system  tools,  but  told  IDG 
News  Service  they  disagreed  with  i 
Russinovich’s  use  of  the  term 
rootkit.  They  say  because  their 
software  was  not  designed  with 
malicious  intent,  it  should  not  be  I 
lumped  into  the  same  category 

Still,  both  companies  appeared 
to  be  sensitive  to  Russinovich’s 
criticism. 

Symantec  last  week  issued  a 
patch  to  SystemWorks  that  dis-  j 
abled  the  cloaking  feature.  And  a 
representative  from  Kaspersky 
says  it’s  possible  that  his  com¬ 
pany  could  take  similar  action. 

Unlike  Sony’s  XCP  (Extended 
Copy  Protection)  software,  the  | 
Symantec  and  Kaspersky  prod¬ 
ucts  do  not  cloak  the  fact  that  cer-  i 
tain  pieces  of  software  are  run-  ! 
ning  on  the  computer.  Instead, 
they  hide  data. 

Symantec’s  Norton  System- 
Works’  PC-tuning  software  uses 
cloaking  techniques  to  hide  a 
directory  of  back-up  files.  This 
technique  has  been  employed  by 
SystemWorks  since  the  1990s  to 
prevent  users  from  accidentally 
deleting  these  files,  according  to 
the  company.  ■ 


Nortel 

continued  from  page  1 

for  release  in  mid-February  —  is  a 
network  appliance  that  attaches 
to  an  aggregation-layer  switch  and 
controls  network  access  through 
wiring  closet-level  switches  at  the 
LAN  edge. 

When  a  machine  accessing  a 
LAN  requests  an  IP  address  from  a 
local  DHCP  server,  the  connection 
is  directed  to  an  SNAS,  which 
authenticates  the  device  and 
downloads  a  temporary  Java  ap¬ 
plet  to  the  machine. This  software, 
which  deletes  itself  after  logoff,  in¬ 
spects  the  machine  and  verifies  its 
anti-virus  status  and  other  soft¬ 
ware  profiles  (see  graphic). 

“It’s  very  easy  to  administer  be¬ 
cause  you  don’t  have  to  manage 
clients,”  says  Pat  Patterson,  direc¬ 
tor  of  Nortel’s  enterprise  security 
solutions  group.  “Most  solutions 
we’ve  seen  that  try  to  use  a 
clientless  approach  require  all 
traffic  to  go  through  an  appli¬ 
ance.  .  .  .  Our  approach  won’t 
screw  up  [a  customer’s]  latency- 
sensitive  traffic  by  creating  that 
kind  of  bottleneck.” 

Nortel  includes  an  endpoint 
security  technology  with  its  SSL 
VPN  products,  which  allows 
users  to  scan  and  block  PCs  and 
laptops  entering  a  corporate  net¬ 
work  through  a  remote  connec¬ 
tion.  The  SNAS  brings  this  capa¬ 
bility  to  LANs. 

“We’re  really  interested  in  lock¬ 
ing  down  Ethernet  ports,”  says 
Sheng  Guo,  CTO  for  the  State  of 
New  York  Unified  Court  System, 
which  uses  Nortel  gear  in  all  state- 
run  courthouses  and  judicial 
offices.  “This  is  definitely  a  hole 
that  needed  to  be  filled  and  some¬ 
thing  we’re  looking  forward  to.” 

One  of  the  ways  Guo’s  staff 
secures  the  network  is  by  turning 
off  unused  LAN  switch  ports.  But 
this  is  timeconsuming  and  non¬ 
exact,  he  says.“You  may  be  right  or 
wrong  —  and  if  you  shut  down  the 
wrong  port,  you  can  cause  a  lot  of 
headaches.”  A  system  that  auto¬ 
matically  secures  every  port  based 
on  the  device  attached  could  help 
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Closer  look 

The  head  of  Nortel's  Ethernet  business 
dives  deeper  into  the  company's  2006 
switch  plans  in  a  Q&A. 
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solve  this  issue,  he  says. 

One  SNAS  can  support  as  many 
as  2,000  concurrent  network- 
attached  devices  —  such  as  PCs 
and  laptops,  as  well  as  IP  phones, 
wireless  LAN  access  points  and 
networked  printers. 

The  SNAS  will  compete  with 
NAC  products  and  systems  such 
as  SCom’s  TippingPoint-based 
NAC  technology:  Alcatel’s  Crystal- 
Sec  system;  Cisco’s  Network  Ad¬ 
mission  Control;  Enterasys’ 
Trusted  End-System  Solution;  and 
products  from  vendors  such  as 
Check  Point,  ConSentry  and 
Lockdown  Networks. 

Upgrades  in  the  works 

Upgrades  are  also  in  the  works 
to  add  line-rate  firewall  and 
IPS/IDS  features  on  Nortel’s 
Ethernet  Routing  Switch  (ERS) 
8600,  introduced  last  year.  An  ERS 
8600  with  a  Service  Delivery 
Module  —  a  four-processor 
blade  that  can  run  third-party 
applications  —  will  be  able  to 
run  Sourcefire’s  IPS  application 
in  March,  says  Sanjeev  Gupta, 
director  of  Nortel’s  Ethernet 
Switching  Business.  The  blade 
currently  allows  ERS  8600 
switches  to  run  Check  Point  fire¬ 
wall  software. 

“Customers  say  they  want  more 
integrated  security  in  Ethernet 
switching  in  data  centers  —  they 
don’t  want  to  deploy  multiple 
devices  for  firewall,  IPS  and  other 
security  services,”  Gupta  says. 

By  the  end  of  the  second  quar¬ 
ter,  Nortel  plans  to  announce  an 
upgrade  to  the  ERS  8600  switch 
software,  as  well  as  processor  and 
memory  upgrades  that  will  push 
Check  Point  and  Sourcefire  fea¬ 
tures  down  to  every  port  on  the 
switch,  Gupta  says. 


Nortel’s  Service  Delivery 
Module  —  similar  to  application- 
based  modules  from  Cisco,  F5 
Networks  and  others  —  requires 
traffic  from  all  ports  to  travel 
through  a  switch  backplane  to  a 
blade  in  order  to  process  packets 
through  a  firewall,  IPS  or  other 
applications  on  a  module. 

The  upgrade  will  allow  Service 
Delivery  Module  applications  to 
be  physically  processed  on  indi¬ 
vidual  ports.  (See  a  diagram  of 
how  this  works  online  at 
WWW. networkworld.com, 
DocFinder:  1760.) 

“Now  you  have  distributed  pro¬ 
cessing  on  every  port  in  the  8600 
switch,”  Gupta  says.  “Every  port 
can  be  fully  secured.” This  works 
by  having  the  session  tables  cre¬ 
ated  on  the  Check  Point  firewall 
blade  pushed  down  to  individual 
network  processors  installed  on 
each  port  on  the  8600  line  cards. 

In  another  expected  release  in 
March,  Nortel  plans  to  announce 
Version  4. 1  of  its  ERS  8600,  which 
includes  software  and  processor 
upgrades.  The  upgraded  switch 
will  also  include  a  new  version  of 
Nortel’s  SMLT. 

This  Layer  2  protocol  allows 
Nortel  switches  to  be  configured 
in  redundant,  high-bandwidth 
configurations.  With  standard 
Layer  2  Ethernet,  connecting  a 
single  switch  with  uplinks  to  two 
separate  switches  —  or  multi¬ 
homing  — allows  only  one  link  to 
be  active.  Spanning  Tree  Protocol 
is  used  to  detect  if  one  link  fails, 
and  then  the  secondary  link  is 
activated  after  a  short  delay  (up 
to  30  seconds). 

Nortel  says  SMLT  allows  both 
links  in  a  dual-homed  setup  to  be 
active,  while  providing  sub-sec¬ 
ond  failover. 


The  improvement  to  SMLT 
shaves  about  760  millisec  off 
Nortel’s  past  SMLT  technology. 
(Past  failover  time  of  830  millisec 
will  be  cut  down  to  70  millisec; 
optical  SONET  networks  in  carri¬ 
ers  fail  over  in  50  millisec). 

While  this  may  seem  like  an 
imperceptible  blink  of  an  eye, 
the  gap  is  huge  for  networks  that 
run  latency-sensitive  traffic, 
Gupta  says. 

“This  provides  business-grade 
voice  with  no  disruption  at  all,  in 
case  of  a  link  or  switch  hardware 
failure,”  Gupta  says. 

Nortel  plans  to  introduce  SMLT 
on  more  of  its  LAN  products  in 
the  second  half  of  this  year.  In  the 
third  quarter,  SMLT  is  expected  to 
be  available  on  the  ERS  8300,  a 
chassis-based  wiring  closet  de¬ 
vice,  and  Nortel’s  BayStack  line  of 
fixed-configuration  boxes. 

This  product  push  comes  after 
Nortel  experienced  several 
rounds  of  leadership  changes 
and  restructuring  last  year.  Two 
key  executives  —  CTO  Gary 
Kunis  and  COO  Gary  Daichendt 
—  left  abruptly  in  June,  followed 
by  the  departure  of  CEO  Bill 
Owens,  who  had  been  on  the  job 
for  a  little  more  than  a  year.  He 
was  replaced  by  Motorola  Presi¬ 
dent  and  COO  Mike  Zafirovski.  In 
a  restructuring  in  September 
2005,  the  head  of  Nortel’s  enter¬ 
prise  group,  Malcolm  Collins  left. 
Steve  Slattery,  who  once  headed 
Nortel’s  carrier  wireless  group, 
took  over. 

In  enterprise  switching,  Nortel 
has  slipped  from  6.3%  of  the  total 
Ethernet  market  in  2003  to  less 
than  5%  in  2005.  Cisco  controls 
69%  of  worldwide  Ethernet  rev¬ 
enue,  according  to  Synergy 
Research  Group.  ■ 


ADVERTORIAL 


Realizing  a  Dream  Data  Center  Design 

Using  ForcelO  high-density  switch/routers,  Veritas’  IT  team  was  able  to  implement  the  simple,  scalable  design  they  desired. 


Processing  volumes  of  data  better,  faster  and 
cheaper  is  at  the  heart  of  Veritas  DGC's  value  propo¬ 
sition  to  its  customers  —  making  IT  strategic  to  the 
company's  competitiveness.  So  when  it  came  time  to 
upgrade  its  computing  clusters  from  Fast  Ethernet  to 
Gigabit  Ethernet  (GbE)  connections  (one  of  several 
cluster  interconnect  technologies  used),  the  IT  team 
knew  it  had  an  opportunity  to  design  a  network  core 
that  could  help  the  company  reduce  data  center  costs 
and  hone  its  competitive  edge  for  years  to  come. 


Veritas'  Global  Processing  Facility  in  its  Houston 
Headquarters  effectively  manages  the  extreme  compute 
demands  of  today’s  most  advanced  geophysical  processing. 


Veritas,  headquartered  in  Houston,  Texas,  is  a  lead¬ 
ing  provider  of  integrated  geophysical  information 
and  services  to  the  petroleum  industry  worldwide. 
Among  its  services  are  seismic  survey  planning  and 
design,  seismic  data  acquisition,  and  the  processing, 
visualization,  and  archiving  of  3D  and  2D  data. 

Due  to  the  enormous  amount  of  processing  capac¬ 
ity  and  network  bandwidth  required  to  manipulate 
such  complex  data,  Veritas'  IT  infrastructure  is  key 
to  its  ability  to  generate  revenue.  Making  that  infra¬ 
structure  ever  more  efficient  is  a  challenge  for  IT. 
"We  have  to  be  able  to  drive  down  our  costs  so  we 
can  reduce  costs  to  customers,"  notes  Phil  Gaskell, 
Veritas'  Global  Network  Manager.  "If  we  can  deploy 
a  network  for  $3  million  as  opposed  to  $5  million, 
we  can  deliver  a  more  cost  effective  solution  and 
improve  our  bottom  line." 

When  IT  staff  brainstormed  about  what  the  ideal 
data  processing  facility  design  would  be,  it  became 
clear  they  wanted  fewer  layers  in  the  network.  "That 
was  our  dream  design  —  everything  taken  away,  with 
a  big  chuffing  switch  with  lots  of  ports  at  the  core," 
says  Doug  Northrup,  Veritas'  Houston  Manager  of 


Networks.  Forcel  0  Networks  was  the  only  vendor  that 
could  deliver  a  switch/router  with  the  port  density  and 
resiliency  Veritas  needed,  according  to  Northrup. 

Realizing  the  Dream  Core 

The  initial  challenge  facing  the  IT  team  was  to 
scale  the  network  core  in  each  data  processing  center 
to  accommodate  large  numbers  of  GbE  interfaces. 
But  the  team  also  wanted  a  network  design  that  was 
flexible  and  scalable  enough  to  accommodate  new 
technologies  and  traffic  flows  down  the  line.  Lack¬ 
ing  a  very  high  density  core  device,  other  networking 
vendors  proposed  designs  that  required  numerous 
inter-switch  links.  And  IT  would  have  had  to  build 
resiliency  into  the  network  through  redundant  devices, 
links  and  other  mechanisms. 

"That  design  would  have  cut  down  on  the  infra¬ 
structure's  scalability  and  increased  the  cost  and 
complexity,"  Northrup  says.  "You  end  up  using  more 
ports  to  connect  switches  together  than  you  do  for 
connecting  systems  to  switches.  And  instead  of  a 
non-blocking  core,  you  have  to  implement  an  over¬ 
subscribed  core." 

In  contrast,  Forcel  O's  E-Series  1200  switch/router 
scales  up  to  1260  GbE  or  224  10  GbE  ports  per 
chassis  and  features  a  non-blocking  switch  fabric.  The 
El  200  has  allowed  Veritas  to  eliminate  an  aggregation 
layer  from  its  network  architecture,  reducing  overall 
network  cost  as  well  as  latency.  "Don't  aggregate 
unless  you  have  to,"  Gaskell  advises.  "It  adds  costs 
and  inefficiencies." 

In  addition  to  high  port  density,  resiliency  is 
built  into  the  El 200.  All  E-Series  devices  have  fully 
redundant  components,  ensuring  hitless  failover  with 
no  packet  loss  in  the  event  a  component  fails.  The 
E-Series  also  has  a  fully  distributed  architecture  with 
independent  processors  for  switching,  routing,  and 


management,  which  allows  faults  to  be  contained. 
Because  resiliency  is  inherent  in  the  El  200,  Veritas' 
IT  team  didn't  have  to  build  these  capabilities  into  the 
network,  thus  lowering  their  operations  and  manage¬ 
ment  overhead. 

"The  El 200  is  a  very  well  designed,  redundant 
piece  of  machinery,"  Northrup  says.  Gaskell  concurs: 
"The  only  component  we  could  break  was  the  paint. 
I  can  sleep  well  at  night." 

The  Ultimate  Benefit:  Flexibility 

Veritas  currently  has  ForcelO  E600s  and  El 200s 
deployed  in  its  Houston,  London,  and  Singapore  data 
centers.  Having  such  high-density  switch/routers  has 
allowed  IT  to  build  efficient,  high  bandwidth,  resilient 
data  center  back  ends  with  the  scalability  to  accom¬ 
modate  future  changes. 

And  by  allowing  Veritas  to  implement  a  simpler 
network  design,  the  El  200  has  enabled  IT  to  drive 
down  equipment  and  overhead  expenses.  Fewer 
devices  in  the  network  means  lower  power  con¬ 
sumption  and  cooling  costs,  for  example,  and  less 
management  overhead.  Northrup  notes  that  transi¬ 
tioning  to  Forcel  O's  equipment  was  "seamless,"  with 
virtually  no  learning  curve  for  the  staff. 

Above  all,  ForcelO  has  given  Veritas  flexibility. 
"We're  always  pushing  the  edge  with  new  technolo¬ 
gies,"  notes  Gaskell.  "Flexibility  was  one  of  the  main 
things  we  were  looking  for.  We  don't  know  what's 
coming  around  the  corner  and  we  don't  want  to  lock 
ourselves  into  an  architecture.  Such  a  high  density 
core  gives  us  the  flexibility  to  explore  different  design 
options.  And  if  a  new  technology  comes  along,  or  the 
algorithms  or  traffic  flow  change,  we  wouldn't  have  to 
re-engineer  the  network  or  forklift  out  the  infrastruc¬ 
ture  with  Forcel  0." 
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Cisco  President  and  CEO  John  Chambers  says  the  company's  muitipie  prod¬ 
ucts,  upgrades  and  strategies  offer  customers  fiexibiiity  rather  than  overload. 


Chambers 

continued  from  page  1 

felt  for  over  a  decade  that  those 
markets  would  completely  come 
together,  with  data,  voice,  video 
and  mobility  convergence.  We  felt 
that  you  just  couldn’t  play  in  one. 

[We  believed]  the  lines  between 
them  would  dramatically  blur,  in 
part,  based  on  how  well  service 
providers  executed. 

Service  provider  and  SMB  are 
about  25%  [of  revenue]  each, 
enterprise  about  45%  and  con¬ 
sumer  about  4%. So  consumer 
has  the  potential  for  the  fastest 
growth.  In  terms  of  dollar  contri¬ 
bution,  the  commercial  market¬ 
place  is  where  we  would  antici¬ 
pate  the  whole  industry  seeing 
the  most  growth,  especially  the 
networking  [sector]  .The  commercial  market¬ 
place  for  us  last  quarter  grew  in  the  mid-20% 
range,  while  our  business  as  a  whole  grew  in 
the  low  teens. 

We  still  have  about  45%  to  50%  of  our  [engi¬ 
neering  and  R&D]  resources  focused  on  ser¬ 
vice  provider.  Enterprise  continues  to  be  the 
leading-edge  user  for  much  of  the  market¬ 
place,  especially  as  we  make  our  moves  into 
the  data  center  and  with  the  virtualization  of 
application  servers  and  of  storage.  We  think 
the  network  will  become  the  platform  that 
will  deliver  services,  applications  [and  more] 
to  all  four  markets. 

Should  enterprise  customers  be  concerned  that 
you  have  too  much  on  your  plate  right  now? 

When  we  go  into  a  market  our  goal  has 
always  been  to  be  No.  1  or  2  with,  ideally  40% 
market  share.  Our  hit  rate  has 
been  really  high,  unlike  almost  all 
of  our  peers. Very  few  of  the  play¬ 
ers  in  the  industry  have  gotten 
beyond  one  or  two  primary  prod¬ 
ucts.  We’re  in  the  eight  to  15 
range.  So  we’ve  had  a  remarkable 
track  record. 

Our  natural  alignment  is  toward  our  enter¬ 
prise  customers.  Actually,  enterprise  points  us 
to  what  we  need  to  do  in  service  provider, 
[SMB]  and  even  within  the  consumer  seg¬ 
ment.  When  1  [spoke  recently]  with  a  large 
customer,  they  said  they  want  us  to  have  a 
security  strategy  for  the  enterprise  but  they 
want  us  to  have  it  across  service  providers 
and  down  to  the  home. 

Secondly  many  of  our  ideas  have  always 
come  from  the  enterprise  side. The  Big  Three 
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[automakers]  pushed  us  really  hard  on 
changing  our  support  model  to  add  the  thin 
layer  of  consulting. They  said  ‘If  we’re  going  to 
become  dependent  on  you  as  our  preferred 
player  in  so  many  areas,  you’ve  got  to  help  us 
adjust  to  the  new  technologies  faster.  And 
you’ve  got  to  tie  them  together  and  help  us 
do  that.  While  we  might  have  expertise  in 
some  of  the  areas,  we  will  never  have  exper¬ 
tise  across  the  board.  And  while  your  partners 
will  help  us,  nobody  can  help  us  like  you  do.’ 

Our  track  record  has  shown  we’ve  always 
stayed  committed  on  issues.  Part  of  the  rea¬ 
son  people  standardize  on  us  is  when  we  say 
we’re  going  to  do  something,  even  if  it  takes 
us  a  long  time  to  get  it  right  —  network  man¬ 
agement  we’re  still  trying  to  get  right  —  we 
stay  with  it,  stay  committed  to  what  we’re 
doing,  or  if  we  change  we  let  them  know. 


The  initiatives  you're  undertaking  with  applica¬ 
tion  networking  and  security  put  you  in  con¬ 
tention  with  people  who  are  currently  partners. 
Are  you  concerned  about  this? 

Philosophically,  1  don’t  partner  and  then 
compete  later.  1  won’t  enter  into  strategic 
partnerships  that  1  think  will  not  have  lasting 
evolution.  Secondly  using  IBM  as  an  exam¬ 
ple,  they  are  my  best  partner  today  and  they 
will  be  my  best  partner  10  years  from  now. 
Third,  we  see  the  market  evolving  very  simi¬ 
larly  We  share  what  we’re  doing  with  them 
very  closely,  they  share  what  they’re  doing 
with  us  very  closely  And  both  of  us  have  the 
same  philosophy 

Isn't  IBM’s  strategy  a  countervailing  notion  to 
providing  virtualization  through  the  network  - 
they  are  providing  virtualization  through  the 
management  layer  -  and  doesn't  that  by  its  very 
nature  put  you  in  competition? 

There  will  be  segments  in  which  we  may 


have  overlapping  philosophies. 
But  if  you  take  a  step  back,  it’s  real 
simple.  1  will  partner  with  IBM  for 
as  long  as  1  think  it  is  strategically 
very  important  to  my  company 
and  I  deliver  on  my  ethical  com¬ 
mitments.  If  there’s  a  little  bit  of 
overlap  in  one  area,  and  yet  we 
can  dramatically  grow  the  rev¬ 
enues,  profits  and  customer  loyal¬ 
ty  because  of  our  ability  to  work 
together,  then  [IBM  and  Cisco] 
are  going  to  do  that. And  then 
we’ll  let  the  [market]  sort  out 
which  products  take  the  lead. 
We’re  not  going  to  let  our  fields 
mess  up  each  other  over  a  prod¬ 
uct  which  accounts  for  a  small 
percentage  of  our  revenue  vs. 
growing  it  in  other  areas. 

If  you  look  at  IBM’s  total  revenue 
in  the  data  center,  consulting  or 
outsourcing  or  in  so  many  other  areas,  our 
overlap  is  a  relatively  small  number.  Our  ability 
to  grow  those  others  dramatically  faster  by 
working  together  is  [more  important]  than 
saying  that  if  we  have  any  overlap  we’re  not 
going  to  work  together.  If  you  overlap  too 
much  and  your  visions  of  how  the  market 
evolves  are  too  different,  you  can’t  have  a  part¬ 
nership.  But  1  don’t  think  that  will  be  the  case. 

If  you  go  back  to  innovation  being  doing  it 
yourself,  acquiring  or  partnering,  remember 
that  90%  of  the  acquisitions  in  my  opinion 
still  fail.  But  our  hit  rate  has  been  remarkably 
high.  If  you  can’t  acquire,  I  would  argue  you 
can’t  partner.  Partnering  is  much  more  diffi¬ 
cult  than  acquiring:  At  least  [in  an  acquisi¬ 
tion]  you  control  the  resources  for  a  period 
of  time.  1  believe  that  partnering  will  be  one 
of  the  four  or  five  major  variables  that  deter¬ 
mine  a  company’s  success.  And 
partnering  is  not  reselling  prod¬ 
ucts.  It’s  really  about  whether  you 
can  go  to  market  together  with 
the  strengths  of  both  organiza¬ 
tions  in  a  way  that  gets  you  com¬ 
petitive  advantages  and  really 
focuses  on  delivering  the  power  of  the  net¬ 
work  to  your  customers. 

You  have  initiatives  under  way  in  the  data  center, 
storage,  security,  application  networking,  among 
others.  Is  there  a  fear  of  overloading  your  cus¬ 
tomer  base,  asking  them  to  make  too  many 
upgrades,  buy  too  many  products,  buy  into  too 
many  strategies,  at  a  time  when  they  are  trying 
to  reduce  complexity? 

CIOs  are  very  concerned  about  the  com¬ 
plexity  that  exists  and  the  costs  of  supporting 
that  complexity  But  1  would  argue  the 
reverse;  that  actually  works  to  our  favor  as 
opposed  to  our  detriment.  If  we  can  touch  so 
many  of  those  elements  off  of  a  common  IP 
open  standard  that  they  don’t  have  to  worry 
about  changing  all  their  applications,  it  gives 
them  a  lot  of  flexibility.  So  when  you  talk  to 
the  CIOs  you’re  finding  more  and  more  of 
them  are  leaning  stronger  and  stronger  to 

See  Chambers,  page  56 


“We  made  a  decision  ...  that  we  felt 
the  [network  markets]  would  blur. 
None  of  our  peers  fol  owed  that.” 
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Confessions  of  the  World’s  Most  Demanding  CIOs. 


“To  the  future. 
.And  step  on  it.” 
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company.  With  the  help  of  HP  Services,  we  set  our  sights  on  the  future. 

“The  result?  Today,  we  bring  new  vehicles  to  consumers  in  less  thari : 
24  months,  down  from  42.  We're  putting  better  quality  automobiles  I" 
on  the  road  than  ever  before.  And  we've  consolidated  informatiott;  ■ 
systems  by  over  fifty  percent  —  all  white  saving  hundreds  of  millions 
of  dollars  a  year  through  the  use  of  precision  information  technology.  ^ 
“HP  listened  instead  of  talking.  HP  sold  ideas  instead  of  pushing 
product.  HP  helped  make  change  a  competitive  advantage.” 
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IETF  highlights 

The  Internet  Engineering  Task  Force  turns  20  on  Jan. 16.  Here 
are  highlights  from  the  standards-setting  body's  illustrious  and 
irreverent  past: 

Greatest  accomplishments;  Producing  key  protocols  that  allow  the  Internet  to  work, 
including  Border  Gateway  Protocol,  Open  Shortest  Path  First,  Session  Initiation 
Protocol,  Post  Office  Protocol,  Internet  Message  Access  Protocol,  Lightweight 
Directory  Access  Protocol,  MPLS  and  Simple  Network  Management  Protocol. 

Lost  opportunities;  Has  failed  to  produce  standards  fast  enough  for  the  marketplace 
in  some  areas  such  as  firewalls,  instant  messaging  and  spam. 

Funniest  moment;  Internet  pioneer  Vint  Cerf  who  always  wears  a  three-piece  suit, 
stripped  down  to  a  T-shirt  that  read  "IP  on  Everything"  at  the  lETF's  July  1992 
meeting  in  Cambridge,  Mass, 

Saddest  moments;  The  deaths  of  Jon  Postel,  editor  of  the  lETF's  standards  documents 
known  as  requests  for  comments,  in  1998,  and  Routing  Area  Director  Abha  Ahqja 
in  2001. 

Quirkiest  traditions;  Humming  approval.  Publishing  phony  protocol  documents  on 
April  1.  Hosting  late  night  Pretty  Good  Privacy  signing  parties.  Toasting  universal 
deployment  of  IPv6  with  scotch. 

Loudest  ai^ument;  The  swearing,  table-jumping  brawl  over  the  inclusion  of  encryption 
in  IPv6  at  the  April  1995  meeting  in  Danvers,  Mass.  Other  infamous  IETF  flghts 
include  a  revolt  over  the  leadership's  selection  of  the  next-generation  Internet  Protocol 
at  a  1992  meeting  in  Cambridge,  Mass,,  and  a  raucous  debate  about  wiretapping 
at  a  1999  meeting  in  Washington,  D.C, 

Fastest  protocol  development  effort;  Blocks  Extensible  Exchange  Protocol  (BEEP), 
which  supports  connection-oriented,  asynchronous  interactions.  The  BEEP  working 
group  was  formed  and  concluded  its  work  in  2001. 

Longest  protocol  development  effort;  IPv6.  The  IPv6  working  group  was  formed 
in  1994  and  has  not  disbanded.  IPv6,  an  upgrade  to  the  Internet's  main  protocol, 
is  not  widely  deployed. 


IETF 

continued  from  page  1 

The  IETF  is  an  egalitarian,  all¬ 
volunteer  group  consisting  of  net¬ 
work  engineers  from  Cisco,  IBM, 
Microsoft.  AT&T  and  other  lead¬ 
ing  vendors.  It  has  created  many 
of  the  underlying  standards  that 
make  the  Internet  work,  includ¬ 
ing  fundamental  routing,  e-mail, 
directory  services  and  telephony 
protocols. 

IETF  leaders  say  the  group’s 
greatest  accomplishment  is  that 
the  protocols  it  developed  let  the 
Internet  function  in  spite  of  dra¬ 
matic  growth  and  the  introduc¬ 
tion  of  new  services. 

“Despite  all  kinds  of  centrifugal 
forces,  the  Internet’s  technology 
has  stayed  reasonably  unified 
and  coherent  during  the  tremen¬ 
dous  growth  of  the  last  20  years, 
the  enormous  changes  in  under¬ 
lying  transmission  technology 
and  the  era  of  telecommunica¬ 
tions  liberalization,”  says  Brian 
Carpenter,  chair  of  the  IETF  and  a 
distinguished  engineer  with  IBM. 

“The  [lETFs]  real  achievement 
has  been  keeping  focus  on  the 
unifying  ideas,  such  as  the  end- 
to-end  principle,”  Carpenter  adds. 
“The  IETF  didn’t  invent  those  uni¬ 
fying  ideas,  but  it’s  used  them  in 
its  protocol  development  work, 
blended  with  pragmatism.” 

Despite  the  group’s  many  engi¬ 
neering  triumphs,  the  IETF  is  best 
known  for  its  openness  and  indi¬ 
vidualistic  approach  to  standards 
development.  It  also  differs  from 
other  staid  standards  bodies 
because  of  its  quirky  traditions, 
which  include  registering 
approval  by  humming  rather 
than  raising  hands. 

“The  biggest  strength  of  the 
IETF  is  its  openness,”  says  Harald 
Alvestrand,a  Cisco  fellow  who 
led  the  group  from  2001  to  2005. 
“We  are  able  to  take  input  from 
the  whole  world,  and  we  arrive  at 
our  decisions  through  a  process 
that  you  are  welcome  to  watch 
and  participate  in.” 

Alvestrand  says  the  lETF’s  open¬ 
ness  coupled  with  the  expertise 
of  its  participants  result  in  higher- 
quality  standards. 

The  IETF  held  its  first  meeting 
Jan  16-17, 1986  in  San  Diego  with 
21  attendees.  In  March,  the  group 
will  hold  its  65th  meeting  in 
Dallas,  and  more  than  1,000 
attendees  are  expected.  It  will 
pubMcly  recognize  its  20th  birth¬ 
day  at  the  meeting. 

The  IETF  meets  three  times  per 


year,  but  most  of  the  group’s  deci¬ 
sion  making  is  done  via  e-mail 
posted  on  its  Web  site, 
www.ietf.org. 

The  group  has  created  many 
important  network  industry  stan¬ 
dards,  including  Border  Gateway 
Protocol  and  Open  Shortest  Path 
First  for  routing;  Fbst  Office  Pro¬ 
tocol  and  Internet  Message  Ac¬ 
cess  Protocol  for  e-mail;  Session 
Initiation  Protocol  for  Internet 
telephony;  and  Lightweight 
Directory  Access  Protocol  for 
directory  services. 

Other  well-known  IETF  tech¬ 
nologies  include  MPLS  for  traffic 
engineering,  the  IPSec  security 
protocol  used  in  VPNs  and  the 
next-generation  Internet  protocol 
known  as  IPv6. 

“What  we  do  is  architect  the 
Internet,  and  the  Internet  is  still  a 
pretty  rollicking  place,”  says  Fred 
Baker,  a  Cisco  fellow  who  served 
as  chair  of  the  IETF  from  1996  to 
2001. “We  describe  different  func¬ 
tions  that  get  done  and  principles 
by  which  they  work,  which  is  a 
different  way  to  do  architecture.” 

The  group  has  published  more 
than  3,300  protocol  documents 
known  as  requests  for  com¬ 
ments.  These  documents,  which 
are  used  daily  by  corporate  net¬ 
work  managers,  outline  standards 
for  configuring  hosts,  authenticat¬ 
ing  users,  monitoring  networks 
and  many  other  necessaty  tasks. 

“The  IETF  is  interested  in  build¬ 
ing  something  like  a  Swiss  Army 
knife,”  Baker  says.“We  give  you 
the  tools  and  you  can  go  build 
your  network.  If  you  don’t  have 
the  right  tools,  then  you  can 
come  back  and  identify  the  tools 
you  need  and  we’ll  build  them.” 

The  IETF  has  created  duds,  too. 
IETF  protocols  that  were  never 
widely  deployed  include  IP 
Multicast,  a  bandwidth-conserv¬ 
ing  technique  for  broadcasting 
information;  and  DNS  Security  a 
technique  for  securing  the  DNS 
using  public-key  encryption. 

In  some  areas,  such  as  firewalls 
and  instant  messaging,  the  group 
failed  to  produce  standards  fast 
enough  for  the  marketplace  to 
adopt.  However,  its  greatest  mis¬ 
step  was  its  failure  to  grasp  the 
importance  of  built-in  security 

“We  didn’t  get  serious  about 
security  early  enough,”  says  Scott 
Bradner,  a  senior  technical  con¬ 
sultant  with  Harvard  University 
who  held  leadership  positions 
with  the  IETF  from  1993  to  2003. 
“The  Internet  carefully  delivers 
that  virus  to  your  door  because 


its  job  is  to  deliver  packets  and 
not  to  inquire  whether  the  appli¬ 
cation  is  good  for  you. The  ’Net 
by  itself  is  doing  what  it  should 
do,  but  we  don’t  have  intrinsic 
integrity  and  authentication.  We 
didn’t  do  that  way  back  when, 
and  it  should  have  been  done.” 

Unlike  other  standards-setting 
bodies  such  as  the  IEEE,  World 
Wide  Web  Consortium  and  the 
International  Telecommunication 
Union  (ITU),  the  IETF  has  individ¬ 
ual  rather  than  corporate  or  gov¬ 
ernment  participants.  Anyone 
can  propose  a  protocol  to  the 
lETEbut  the  protocol  must 
achieve  rough  consensus  from 
the  group  and  have  working  pro¬ 
totypes  before  it  can  be 
approved  as  a  standard. 

“In  the  ITU,  governments 
approve  the  standards,  and  for¬ 
mal  submissions  come  from 
companies,”  explains  Bradner, 
who  serves  as  liaison  between 
the  IETF  and  ITU.“ln  the  lETEit’s 
individuals,  not  companies,  who 
submit  ideas.  And  it’s  the  consen¬ 
sus  of  the  community  as  inter¬ 
preted  by  the  IETF  leadership 
that  prevails.That’s  very  different 
from  having  Germany  decide  it 
doesn’t  like  a  standard.” 

Bradner  says  the  result  of  the 
lETF’s  nongovernmental 
approach  is  that  the  group  does¬ 
n’t  focus  on  protecting  existing 
industries  or  companies.The  ITU 
and  other  standards  bodies  “tend 
to  create  standards  that  will  not 
necessarily  disrupt  incumbent 
companies  like  carriers,  but  the 
IETF  doesn’t  have  that  formal 
sensitivityf  Bradner  adds. 

Another  key  difference  is  that 
the  IETF  makes  decisions  based 
on  rough  consensus  rather  than 
unanimity  The  IETF  leadership 
will  approve  a  protocol  docu¬ 
ment  even  if  10%  of  the  group’s 
participants  disagree,  while  other 
standards  bodies  make  changes 
or  additions  to  a  document  so  all 
participants  support  it. 

The  rough  consensus  approach 
makes  the  lETF’s  process  more 
contentious,  while  the  group’s 
openness  makes  its  process  take 
longer.  One  of  the  main  criticisms 
of  the  IETF  is  that  it  takes  too 
long  to  publish  proposed  stan¬ 
dards.  For  example,  the  IETF  has 
been  working  on  aspects  of  IPv6 
since  1994. 

The  IETF  faces  many  chal¬ 
lenges,  including  declining  atten¬ 
dance  at  its  meetings  and 
increased  competition  from 
other  standards  bodies. 


In  2000,  at  the  peak  of  the 
Internet  bubble,  IETF  meetings 
attracted  more  than  2,800  atten¬ 
dees.  At  its  meeting  in  November, 
the  group  had  1 ,200  attendees. 

The  IETF  can’t  afford  to  lose 
money  on  its  meetings  because  it 
doesn’t  charge  membership  fees. 
However,  many  longtime  atten¬ 
dees  say  the  current  meeting  size 
is  better  for  getting  work  done. 

“When  we  had  3,000-person 
meetings,  a  lot  of  the  people 
were  not  there  to  work  on 
things,”  says  Baker,  who  attended 
his  first  IETF  meeting  in  1989. 
“The  meetings  that  we  have  are 
smaller. The  mailing  lists  are 
more  contained,  and  the  work  is 
actually  proceeding  better” 

The  IETF  recently  reorganized 
its  administrative  functions  to 
gain  greater  control  over  its 
finances  and  meeting-related  ex¬ 
penses.  Alvestrand,  who  encour¬ 
aged  the  group  to  reorganize  dur¬ 
ing  his  stint  as  chair,  says  it’s  too 
early  to  tell  if  the  new  administra¬ 
tive  structure  will  worit  better 
than  the  less-formal  systems  of 
the  past. 

“By  the  end  of  2006,  we’ll  be 
able  to  tell,”  Alvestrand  says. 
“When  we’ve  had  service  con¬ 
tracts  in  place  for  a  year  and  have 


had  monies  for  the  meetings 
flowing  through  hands  that  are 
accountable  to  the  lETE we’ll 
knowf 

Meanwhile,  rival  standards  bod¬ 
ies  such  as  the  ITU  are  looking  to 
encroach  on  areas  of  standards 
development  that  traditionally 
were  handled  by  the  lETp while 
new  standards  bodies  such  as 
the  Liberty  Alliance  Project  and 
the  MPLS  Forum  are  cropping  up 
to  address  standardization  for 
emerging  Interhet  services. 

The  lETFs  biggest  challenge  is 
“continued  relevance,”  Bradner 
says.“Finding  new  things  to  do  or 
old  things  to  work  on  which  are 
relevant  to  the  needs  of  the  net¬ 
working  world  going  forward  is 
ke/ 

Nonetheless,  IETF  leaders  are 
optimistic  about  the  group’s 
future,  especially  the  technical 
challenges  that  lie  ahead. 

“1  expect  to  see  a  lot  more  work 
on  quality  of  service  and  of 
course  on  securit>f  Carpenter 
says. “And  we  need  some  break¬ 
through  thinking  in  the  area  of 
resource  discovery  Using  the 
DNS  to  find  things  is  a  really  bad 
compromise,  especially  as  we 
move  toward  fully  international¬ 
ized  naming  of  resources.”H 


Today,  Dave  securely  managed 

the  UK,  Chicago  and  St.  Louie:-'gS'^-^:i|^^M 

leaving  his  daughter’s  recita|i;iiP'^^'^'®^^H 


i 


With  the  best-of-breed  security  in  Avocent  DSView®  3  software,  the  world  can  finally  revolve  around  you.  ; 

DSView'  3  software  empowers  you  to  securely  manage  your  entire  data  center  -  even  when  you’re  thousands  of  miles.  ,■ 
away.  Avocent's  exclusive  security  features,  like  virtual  media  support,  ensure  that  only  authorized  users  can  access  your 
devices.  And  we  extend  secure  access  and  control  to  your  “lights  out”  operations,  too.  Let  others  talk  about  security. 
Only  Avocent  field-proven  security  gives  you  true  peace  of  mind.  ■ 


Learn  how  Avocent  can  help  make  your  data  center  more  secure.  . 
To  get  this  FREE  White  Paper,  visit  www.avocent.com/securitytoday. 
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Aruba,  Mem  air 
WLAN  wares 


Linux  vendors  stepping  up 
their  focus  on  security 


BY  JOHN  COX 

Aruba  Wireless  Networks  this  week  plans  to  announce  wireless  LAN 
products  that  address  the  needs  of  small  companies  and  branch 
offices.  Separately  Mem  Networks  says  its  latest  offering  zeroes  in  on 
wireless  security 

Tlie  new  Amba  200  Mobility  Controller  packages  the  company’s  high- 
end  WLAN  features  into  its  smallest  and  lowest-priced  product.The  200 
model  can  have  six  access  points  attached  and  supports  about  100 
simultaneous  users.  The  company’s  previous  low-end  controller,  the 
Amba  800,  can  connect  16  access  points  and  250  users. 

A  key  change  is  ease  of  installation,  Amba  says.  Office  workers  plug  in 
the  power  cord  and  attach  some  cables,  and  the  200  model  automati¬ 
cally  creates  a  secure  IPSec  VPN  link  to  an  Amba  master  controller  at  a 
central  office.The  200  model  then  downloads  user  information,  security 
profiles  and  settings,  and  configuration  settings  for  itself  and  attached 
access  points. 

Competing  in  this  market  are  Cisco’s  Integrated  Services  Router  fitted 
with  a  recently  announced  WLAN  blade.  Symbol’s  WS2000,  and  similar 
products  from  Trapeze  Networks  and  others. 

The  200  model  starts  at  $1,750  (the  800  model  started  at  $5,000). 

Also  new  from  Amba  is  the  Mobility  Management  System,  which  shifts 
from  the  company’s  controllers  to  a  server  or  an  appliance  an  array  of 
tasks,  including  WLAN  planning,  radio  frequency  management  and  net¬ 
work  monitoring. 

Farpoint  consultant 
Craig  Mathias  likes  the 
idea  of  a  management 
appliance.  “It’s  all  in  one 
place,  you  turn  it  on,  and 
then  you  don’t  have  to  do 
a  lot  of  work  setting  it  up 
and  managing  it,”  he  says. 

The  Mobility  Manage¬ 
ment  System  is  available  in  a  rack-mounted  appliance  and  as  software 
that  can  be  loaded  on  existing  servers. 

The  appliance  version  starts  at  $22,000  and  supports  as  many  as  250 
Aruba  access  points.  The  software-only  version  starts  at  $4,000  for  50 
access  points. 

Meru's  move 

Mem  is  expected  to  release  an  optional  application  called  the 
Security  Services  Module  for  its  wireless  controllers.  The  code  can 
manipulate  the  radio  signal  from  Mem  access  points,  adding  a  layer  of 
security  to  a  corporate  wireless  network,  according  to  the  company 

'Fhe  software  adds  three  capabilities.  First,  it  enables  an  access  point 
not  only  to  process  traffic  destined  for  it  but  also  to  act  as  an  RF  scan¬ 
ner  in  the  time  between  frames.  Other  vendors  make  use  of  separated, 
dedicated  radio  scanners,  or  force  an  access  point  to  switch  sequen¬ 
tially  between  processing  and  scanning,  says  Mem  CTO  Vaduvar 
Bhargavan. Switching  takes  times,and  adds  latency  that  can  degrade  or 
dismpt  voice  and  video  traffic,  he  says. 

Second,  the  software  lets  a  controller  order  an  access  point  to  jam  a 
detected  rogue  device  by  transmitting  a  signal  designed  to  collide  with 
the  rogue’s  signal  while  the  access  point  maintains  links  with  autho¬ 
rized  clients. The  rogue,  in  effect,  disappears;  wireless  clients  can’t  see  it 
and  therefore  ignore  it.  Rival  products  have  the  access  point  send  out 
de-authenticate  packets  to  a  rogue,  a  technique  that  consumes  band¬ 
width,  according  to  Bhargavan. 

'I’hird,  Mem’s  software  can  create  a  transmission  that  only  designated 
sender  and  receiver  radios  can  sense.  Other  nearby  radios  sense  only 
RF  noise. 

Tlie  product,  scheduled  to  be  available  by  June,  will  start  at  $2,500  for 
50  access  points.M 


The  new  Aruba  200  Mobility  Controller  is  de¬ 
signed  for  simple  installation  by  office  staff 
in  branch  offices  or  retail-chain  sites. 


Steeling  Linux 

With  Linux  a  given  in  most  data  centers,  vendor  focus  now  is 
on  hardening  the  platform.  A  look  at  what  Red  Hat  and  Novell 
offer  and  have  planned  for  Linux  security: 

Red  Hat: 

SELinux:  Integrated  Into  Red  Hat  Enterprise  Linux  4  to  provide  secure  access 
controls. _  _ 

ExecShield;  Prevents  malicious  code  from  running  when_£buffer  overflows. 

Red  Hat  Directory  Server;  Maintains  user  profiles,  access  policies  and  other  data 
identity  management.  ______ 

Red  Hat  Certificate  System:  Generates  and  manages  digital  credentials;  Red  Hat 
is  working  on  integrating  smart  cards  Into  thejysteni _ _ 

Novell: 

AppArmor:  Alternative  to  SELinux;  secure  access-control  technology  that  Novell 
acquired  from  Immunix:  code  contributedjo  the  open  source  communityjast  week. 

Novell  eDirectory;  Includes  smart  cards  and  tokens  to  manage  user  profiles  and 
access  policies.  _  _  _ 

Security  assessments:  Short-  and  long-term  consultations  to  evaluate  Linux  security 
needs, 


BY  JENNIFER  MEARS 

Customers  should  expect  to 
see  enhanced,  easier-to-use  secu¬ 
rity  tools  from  leading  Linux  dis¬ 
tributors  in  the  coming  months  as 
vendors  focus  on  making  the  plat¬ 
form  tough  enough  to  support 
even  the  most  critical  business 
applications. 

Gone  are  the  days  of  having  to 
bolt  on  Linux  security  features 
through  patches  to  the  kernel.The 
Linux  2.6  kernel  includes  the 
hooks  necessary  to  integrate 
security  directly  into  Linux  distri¬ 
butions  without  modifying  the 
kernel  itself. 

That  means  users  should  see 
offerings  that  fit  right  into  their 
Linux  environments,  analysts  and 
industry  experts  say  It’s  a  reflec¬ 
tion  of  the  maturing  of  the  Linux 
operating  system  and  a  growing 
focus  on  security  by  vendors 
such  as  Novell  and  Red  Hat. 

While  Novell  is  working  at  inte¬ 
grating  its  longstanding  security 
tools,  such  as  identity  manage¬ 
ment,  into  its  SuSE  Linux  distri¬ 
bution,  users  can  expect  to  see 
Red  Hat  build  out  offerings  on 
top  of  technology  it  acquired 
from  Netscape,  including  a 
directory  server  and  a  certificate 
management  system. 

“The  key  focus  moving  for¬ 
ward  is  to  make  sure  we  build 
security  into  every  component, 
every  process,  every  bit  of  what 
we’re  doing,”  says  Mike  Ferris, 
director  of  security  solutions  at 
Red  Hat.  “When  we  think  about 
security,  it’s  really  about  making 
it  ubiquitous.” 

As  an  example,  Novell  and  Red 
Hat  now  build  application  secu¬ 
rity  into  their  Linux  offerings. 
Application  security  technology 
limits  access  to  operating  systems 
and  protects  applications  and 
operating  systems  from  internal 
and  external  threats  such  as  mali¬ 
cious  code  and  vimses.The  idea 
is  to  protect  data  on  Linux  from 
application  vulnerabilities  with¬ 
out  having  to  resort  to  emergency 
patching. 

Red  Hat  includes  Security  En¬ 
hanced  Linux  (SELinux)  in  Red 
Hat  Enterprise  Linux  4.  SELinux  is 
a  National  Security  Agency- 
backed  project  that  enables  users 
to  set  detailed  access  controls  to 


protect  operating  systems  from 
threats. 

Novell  offers  AppArmor,  access 
control  software  it  acquired  from 
Immunix  last  May  Novell  has 
offered  AppArmor  as  a  stand¬ 
alone  product  since  the  fall, 
but  last  week  the  company 
announced  it  was  integrating 
AppArmor  into  its  SuSE  Linux  dis¬ 
tribution.  The  company  also 
kicked  off  an  open  source  project 
built  on  key  components  of  the 
AppArmor  code. 

Developers  can  go  to  www. 
opensuse.org/apparmor  and 
have  full  access  to  the  source 
code,  says  Charlie  Ungashick, 
director  of  product  marketing  for 
Linux  at  Novell.“That  way  we  will 
garner  community  involvement 
to  review,  test  and  develop  the 
technology’ 

Analysts  say  the  move  is  a  good 
one  for  Novell,  whose  biggest 
challenge  is  to  raise  awareness  of 
the  AppArmor  technology.  Novell 
executives  say  AppArmor  is  a  sim¬ 
pler  approach  to  application 
security  than  SELinux.  Some  ana¬ 
lysts  agree,  noting  that  today  most 
SELinux  deployments  are  in  the 
government  sector. 

“Novell  AppArmor  is  less  com¬ 
plicated  to  implement  than 
SELinux,”  says  Stacey  Quandt, 
research  director  of  security 


solutions  and  services  at  the 
Aberdeen  Group.  “The  chal¬ 
lenge  for  Novell  is  not  technol¬ 
ogy  but  marketing.  By  creating 
an  open  source  project  around 
AppArmor,  it  may  be  of  more 
interest  to  developers  and 
increase  the  mind  share  and 
use  of  the  technology” 

For  users,  the  biggest  issue  is 
whether  specific  applications 
are  supported  by  the  applica¬ 
tion-security  approach,  Quandt 
says.  That’s  why  Red  Hat  and 
Novell  are  working  with  inde¬ 
pendent  software  vendors  to 
ensure  that  applications  can 
take  advantage  of  the  security 
features. 

“For  some  users,  the  ease  of 
implementing  Novell  AppArmor 
will  be  preferred,”  Quandt  says. 
“Red  Hat  needs  to  make  SELinux 
easier  to  implement  and  use.” 

Red  Hat’s  Ferris  counters  that 
SELinux  is  perceived  to  be  more 
complex  than  it  really  is.  “Since 
we  released  Enterprise  Linux  4, 
Security  Enhanced  Linux  has 
been  turned  on  by  default  in 
every  install  of  Enterprise  Linux,” 
he  says.“That  means  there  is  a  set 
of  applications  that  is  taking 
advantage  by  default  of  the 
mandatory  access-control  sys¬ 
tem.  So  users  aren’t  even  aware  in 
some  cases.”B 
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POWERING  DATA  ANALYTICS 


AS  BUSINESSES  INCREASINGLY  Stake  their  survival  on  the 
ability  to  manipulate  and  analyze  data,  the  importance  of  opera¬ 
tional  business  intelligence  has  skyrocketed.  Operational  BI,  which 
embeds  analytical  processes  within  the  operational  business  struc¬ 
ture  to  trigger  real-time  decision  making  and  collaboration,  is  fun¬ 
damentally  changing  how  data  is  used,  where  it  exists  and  how  it 
is  accessed. 

This  change  is  rapidly  exposing  the  limitations  of  traditional 
analytical  tools.  Most  traditional  databases  and  data  warehouses 
don’t  take  into  consideration  the  increasing  use  of  unstructured  data 
stored  outside  these  systems.  Moreover,  data  used  for  operational 
analysis  is  frequently  accessed  before  coming  to  the  data  ware¬ 
house,  such  as  RFID  data  coming  from  a  store  or  warehouse  being 
used  at  a  number  of  points  before  being  sent  to  a  data  warehouse. 
That  trend  will  continue  with  the  soaring  growth  of  self-service 
technologies,  a  trend  that  demands  split-second  return  times  on 
queries  that  are  increasingly  integrated  into  the  business  process. 

As  operational  BI  spreads,  CIOs  and  IT  managers  face  a  dilem¬ 
ma:  They  must  enable  new  strategies  for  how  their  companies 
use  information,  or  risk  a  significant  competitive  disadvantage.  But 
how  do  you  ensure  success  as  you  move  from  operational  BI  the¬ 
ory  to  reality?  The  following  tactics  are  key  to  the  successful  imple¬ 
mentation  of  this  promising  new  technology. 

Choose  service-oriented  tools  and  products.  Operational 
BI  depends  on  a  company’s  ability  to  collect  and  analyze  infor¬ 
mation  midstream — such  as  a  point-of-sale  cashier  accessing  a 
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house  workers  using  that  data  to  reroute  deliveries  en  route.  Or  con¬ 
sider  the  value  to  financial  workers  using  real-time  data  to  do 
immediate  risk  analysis.  Those  decisions  can  be  based  on  informa¬ 
tion  pulled  from  a  wide  variety  of  data,  and  that  data  will  be  avail¬ 
able  regardless  of  location,  as  mobile  workers  use  operational  BI 
information  from  a  variety  of  devices.  Operational  BI  solutions 
from  Sybase  running  on  HP  servers  with  the  Itanium  2  processor 
should  scale  to  the  ever-increasing  user  population  that  needs  to 
access  analytical  data  at  the  production  level. 

On  the  technology  front,  “CIOs  should  expect  faster  query  speeds 
and  faster  data  loading  as  their  operational  BI  solutions  take  advan¬ 
tage  of  performance  boosters  such  as  a  64-bit  architecture  and  ana¬ 
lytics  algorithms  that  have  been  optimized  for  the  Itanium  2 
processor,”  says  Thomas.  They  should  find  infrastructure  manage¬ 
ment  easier  and  more  cost-effective  as  a  partitioned,  virtualized 
environment  allows  for  flexibility  in  meeting  peak  demands,  along 
with  better  management  of  hardware  and  server  growth.  With  a 
solution  based  on  Sybase  IQ,  HP  servers  and  the  Itanium  2  proces¬ 
sor,  storage  and  hardware  investments  should  lessen  long  term — 
Sybase  IQ  requires  less  storage  and  hardware  than  traditional  data¬ 
base  environments,  and  powerful  Intel  Itanium  2-based  servers 
from  HP  can  support  rising  workloads  and  offer  capabilities  to  sup¬ 
port  virtualization  and  enhance  manageability. 

In  the  final  analysis,  taking  the  time  to  understand  the  opportu¬ 
nities  and  challenges  from  both  business  and  technology  perspec¬ 
tives  should  pay  big  dividends  in  business  value  down  the  road. 
“Define  pain  points  in  business  value  terms,”  says  Joseph  Shaffner 
at  Sybase.  “By  applying  analytic  solutions  at  the  operational  point 
of  pain  itself,  companies  can  derive  immediate  business  advan¬ 
tages.  This  is  the  promise  of  operational  business  intelligence.”  • 


ACTION  ITEMS 

Tactical  lips 


customer  profile  to  offer  tailored  promotions — before  sending  it  to 
core  systems,  regardless  of  who  owns  the  master  data  store.  “The  abil¬ 
ity  to  get  a  glimpse  of  the  entire  pipeline  in  and  outside  of  the  com¬ 
pany  is  very  valuable  to  the  agility  of  a  corporation,”  says  Chris 
Thomas  of  Intel  Corporation.  A  new  generation  of  service-oriented 
BI  tools  that  can  collect  feeds  mid-tier  and  then  send  the  results  of 
this  analysis  along  to  core  systems  helps  companies  respond  quick¬ 
ly  and  effectively  to  changing  market  conditions.  Products  such  as 
Sybase  IQ  and  Avaki,  for  example,  are  built  to  respond  to  operational 
BI  requirements. 

Build  a  foundation  of  service-oriented  architecture.  Service- 
oriented  architecture  that  lets  users  access  real-time  knowledge  with 
a  set  of  service  feeds  can  maximize  business  agility  while  reducing 
complexity.  For  example,  SOA  flexibly  and  cost-effectively  supports 
the  midstream,  on-the-fly  data  collection  and  analysis  necessary  for 
operational  BL  Service  orientation  also  supports  operational  BI 
throughout  the  business  by  pushing  BI  data  out  to  the  mobile  work¬ 
force  and  enabling  workers  across  the  enterprise  to  incorporate  this 
vital  data  into  their  workflow.  The  hardware  foundation  for  SOA 
should  include  robust,  open  standards-based  64-bit  platforms  such  as 
HP  servers  powered  by  the  Intel®  Itanium®  2  processor. 

Consider  Enterprise  Information  Integration.  Eli,  as  evi¬ 
denced  in  solutions  such  as  Avaki,  federates  data  sources  to  provide 
a  single  view  for  end  users  and  is  a  good  choice  for  customers  with 
information  coming  from  dozens  of  sources  and  users  who  need  to 
make  decisions  on  the  fly.  For  example,  the  new  straight-through 
processing  requirements  in  the  financial  services  industry  will 
drive  institutions  to  perform  immediate  risk  analysis  and  increase 
the  need  for  operational  BI. 

VALUE  ACROSS  THE  ENTERPRISE 


Optimizing  performance.  Network  man¬ 
agers  need  to  analyze  and  rework  'the  network 
to  ensore  that  it  is  tailored  to  ithe  performanGe 
needs  of  operational  BL  This  includes  planning 
for  traffic  to  the  middleware  layer  as  it 
extracts  data  from  disparate  sources. 
Remote  access  for  field  staff.  Mobilizing 
operational  data  for  field  staff  requires  network 
managers  to  plan  for  configuring  data  so  it  is 
downloadable  to  a  multitude  of  mobile  devices. 
They  must  also  provide  network  security  as 
mobile  users  log  onto  the  networki  and 


Operational  BI  proves  a  smart  investment  from  both  the  business 
and  technology  perspectives.  By  taking  the  guesswork  out  of  oper¬ 
ational  decision  making,  companies  can  tie  decisions  directly  to  per¬ 
tinent  business  information  and  make  decisions  on  the  fly 
throughout  the  enterprise.  Imagine  sales  reps  sending  and  receiv¬ 
ing  real-time  order  and  refill  data  via  mobile  devices,  and  ware- 


Network  managers  need  to  plan  for  the 
impact  of  deploying  operational  Bl  within  the 
framework  of  a  service-oriented  architec¬ 
ture.  Among  the  important  issues; 


Throughput  management.  Network  con¬ 
figurations  should  be  optimized  to  work 
well  with  a  virtualized  environment.  This 
typically  requires  monitoring  traffic  pat¬ 
terns  to  plan  for  times  of  peak  workload  and 
ensuring  that  data  flows  freely  to  users 
regardless  of  location. 


explore  wireless  coverage  issues. 

Mobile  information  access  and  cross¬ 
enterprise  collaboration.  As  more  mobile 
users  download  enterprise  data  from  oper¬ 
ational  Bl  sources,  network  managers  must 
anailyze  and  provision  for  the  additional 
traffic  flowing  across  the  network.  This 
also  applies  to  increased  collaboration 
among  companies,  as  businesses  increas¬ 
ingly  open  their  fTrewalls  to  allow  collabora¬ 
tion  among  suppliers,  distributors  and  other 
!business  partners. 
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Short  Takes 


■  Fidelis  Security  Systems  last 
week  announced  an  upgrade  to  its 
data- leakage  prevention  software 
that  includes  additional  policy  tem¬ 
plates  and  new  management  fea¬ 
tures.  DataSafe  is  designed  to  block 
the  unauthorized  transfer  of  sensitive 
or  regulated  data  across  network 
channels,  including  e-mail,  HTTP,  FTP, 
instant  messaging  and  peer-to-peer- 
communications.  Instead  of  tracking 
who  is  granted  access  to  certain 
data  in  an  organization,  DataSafe 
secures  the  information  by  analyzing 
content  via  statistics,  pattern  recog¬ 
nition  and  exact  matching,  and  then 
prevents  sensitive  data  from  leaving 
the  organization.  In  Version  3.8,  the 
company  has  included  templates  that 
search  for  data  related  to  the 
Department  of  Defense's  data  classi¬ 
fication  system  and  the  Payment 
Card  Industry  Data  Security 
Standard.  The  latter  is  a  means  of 
enforcing  data  security  standards  in 
businesses  that  process  credit  card 
information.  Users  can  configure  the 
templates  to  send  out  an  alert  when 
sensitive  information  is  about  to  be 
sent  out  of  the  organization,  or  pre¬ 
vent  the  data  from  leaving,  Etue  says. 
DataSafe  is  priced  at  $65,000  per 
sensor  for  the  32-bit  sensor  and 
$95,000  for  the  64-bit  sensor.  The 
management  console  is  included  free. 

■  Funambol,  a  developer  of  open 
source  data-synchronization  soft¬ 
ware  for  mobile  devices,  has  licensed 
its  Sync4j  mobile  application  server 
to  CA,  the  company  said  last  week. 
The  software  works  with  mobile 
devices  supporting  the  SyncML  stan¬ 
dard  to  synchronize  contacts  data¬ 
bases  and  other  information  be¬ 
tween  devices.  Funambol  intends 
this  year  to  expand  Sync4j's  capabili¬ 
ties  to  include  push  e-mail  delivery. 
CA  will  use  the  software  in  its  tools 
to  manage  mobile  devices  such  as 
smart  phones,  according  to  Funam¬ 
bol.  The  company  created  a  new 
research  division,  CA  Labs,  to  study 
mobile  applications,  advanced  appli¬ 
cations  on  converged  networks  and 
service-oriented  architecture. 


Branch  nets  get  integrated  help 


BY  TIM  GREENE 

Looking  to  eliminate  the  hodgepodge  of 
devices  users  have  to  manage  in  branch 
offices,  many  customers  are  turning  to  sin¬ 
gle,  multi-function  devices  known  as  a 
“branch  in  a  box”  that  perform  branch- 
office  network  functions  while  being  man¬ 
aged  remotely 

Branch-in-a-box  devices  support  a  core 
range  of  tasks  (see  graphic)  and  can  take 
the  place  of  four  or  five  devices  in  offices 
that  may  have  no  permanent  IT  staff,  says 
Dan  Golding,  an  analyst  with  the  Burton 
Group  who  says  he  coined  the  name  as  a 
product  category 

One  box  can  perform  in  place  of  a  WAN 
router,  Ethernet  switch,  IP  PBX,  firewall  and 
other  devices,  he  says.  It  also  can  host 
security  applications. 

Branch-in-a-box  products  are  not  to  be 
confused  with  office-in-a-box  gear,  which 
includes  print  servers,  storage,  e-mail 
servers  and  other  devices  intended  to  sup¬ 
port  one-office  businesses  but  not  meant 
to  be  managed  centrally  as  part  of  a  large 


What’s  in  a  branch-in- 
a-box? 

Multi-function  devices  that  qualify 
as  a  branch-in-a-box  must  meet  the 
requirements  of  a  large  business, 
not  simply  function  as  office 
infrastructure  for  a  one-site  small 
business,  says  Burton  Group  analyst 
Dan  Golding,  who  coined  the  term. 
Key  elements  are: 

•  Switching. 

•  Routing. 

•  Remote  management. 

•  Firewall. 

•  IP  PBX. _ 

•  Wireless  access  point. 

corporate  network  with  hundreds  of 
branches,  Golding  says.Vendors  in  this  cat¬ 


egory  are  Critical  Software,  EmergeCore 
Networks,  Right  Vision  (acquired  by 
Alcatel)  and  Linksys  One. 

A  range  of  vendors  make  branch-in-a- 
box  products,  including  3Com,  Adtran, 
Kentrox  and  NetDevices,  a  start-up  focus¬ 
ing  on  this  type  of  gear  that  is  unique 
because  it  developed  its  platform  specifi¬ 
cally  to  deal  with  multiple  branch-office 
functions  rather  than  evolving  from  an 
existing  device,  he  says.  Cisco’s  branch-in- 
a-box  ISR  routers  lead  the  way,  Golding 
says,  with  more  than  500  million  units  sold 
since  they  were  introduced  15  months 
ago.  It  was  Cisco’s  most  successful  product 
launch  ever. 

Nortel  is  the  most  recent  industry  giant 
jumping  into  this  area  with  its  $99.5  mil¬ 
lion  purchase  last  month  of  Tasman 
Networks,  whose  Converged  Services 
Routers  support  routing,  security  QoS  and 
VoIP 

There  is  also  speculation  that  Juniper  is 
looking  into  creating  its  own  branch-in-a- 

See  Branch,  page  20 


Yahoo,  Sheraton  offer  Wi-Fi  iounge 


BY  STEPHEN  LAWSON,  IDG  NEWS  SERVICE 

Yahoo  is  getting  into  the  Wi-Fi  hot  spot 
business  with  Sheraton  Hotels  &  Resorts, 
but  the  partners  aren’t  stopping  there. 

In  a  trial  announced  last  week,  the  com¬ 
panies  are  setting  up  their  own  virtual  and 
physical  spaces  —  localized  Web  portals  as 
well  as  lounges  —  in  a  few  U.S.  Sheraton 
hotels. 

Free  or  fee-based  Wi-Fi  is  nothing  new  in 
major  hotels,  including  Sheraton  facilities, 
but  Yahoo  and  Sheraton  are  looking  to 
enrich  the  experience  with  a  “virtual 
concierge”  Web  portal  for  guests,  and  in 
some  cases  a  special  lounge  in  the  lobby 
The  product,  called  Yahoo  Link  @ 
Sheraton,  began  in  a  trial  last  week  with 
lounges  and  Web  portals  at  the  Sheraton 
San  Diego  Hotel  &  Marina  and  Sheraton 
Boston.The  companies  also  launched  por¬ 
tals  for  the  Sheraton  New  York  Hotel  & 
Towers  and  the  Sheraton  Stamford  in 
Connecticut. 

At  the  core  of  the  offering  is  a  co¬ 
branded,  localized  Web  portal  for  each 
hotel,  accessible  in  lounge  areas  and 


guest  rooms.  When  guests  check  in,  they 
will  be  given  pass  codes  to  get  on  the  Wi¬ 
Fi  network  and  enter  the  portal,  as  well 
as  to  take  advantage  of  other  services  in 
the  Yahoo  Link  lounge,  says  Murray 
Gaylord,  vice  president  of  brand  market¬ 
ing  at  Yahoo.  The  portal  will  provide 
local  information  such  as  weather, 
nearby  attractions  and  restaurants,  and 
driving  directions.  Guests  and  hotel  em¬ 
ployees  will  be  able  to  expand  on  those 
listings  with  their  own  reviews  and  rec¬ 
ommendations. 

Hotel  guests  also  will  get  a  free  30-day 
trial  of  a  bundle  of  Yahoo  premium  ser¬ 
vices,  including  Yahoo  Music,  Mail  Plus, 
Briefcase,  All  Star  Games  and  Finance 
Tracker. 

The  Yahoo  Link  @  Sheraton  lounge  areas 
will  have  a  handful  of  Ethernet-connected 
desktop  PCs  and  seating  areas  where 
guests  can  use  their  own  devices.  Guests  at 
any  time  will  be  able  to  use  the  worksta¬ 
tions  and  Wi-Fi  and  send  documents  to  a 
printer  in  the  lounge  for  free  printing, 
Gaylord  says.  With  printer  access,  traveling 


guests  could,  for  example,  print  out  airline 
boarding  passes  while  waiting  for  their 
bags  to  be  brought  down.The  area  will  fea¬ 
ture  comfortable  seating,  a  plasma  TV  and 
refreshments  for  sale,  he  says. 

Yahoo’s  customers  told  the  company 
they  wanted  more  than  just  a  network  con¬ 
nection  or  an  online  Yahoo  presence 
when  traveling,  Gaylord  says. 

“People  don’t  want  to  just  stay  in  their 
rooms  on  the  computer. . .  .They  want  some 
kind  of  social  interaction,”  he  says. 

Sheraton,  a  division  of  Starwood  Hotels  & 
Resorts  Worldwide,  with  about  400  hotels 
worldwide,  is  responsible  for  the  network 
infrastructure,  while  Yahoo  takes  care  of 
the  Web  portal,  Gaylord  says.  The  compa¬ 
nies  will  look  at  response  to  the  trial  in 
about  six  months  to  gauge  whether  to 
expand  the  offering  in  the  United  States  or 
overseas,  he  says.B 

WIRELESS  IN  THE  ENTERPRISE 

Subscribe  to  our  free  newsletter. 

DocFinder:1fi28  www.Mtinrkwori(i.cfln 


Dream  meets  delivery.  Promise  meets  performance 
It's  time  you  meet  the  new  AT&T, 


Say  hello  to  your  world,  closer.  Your  world, 
fuller.  Your  world,  delivered.  AT&T's  passion  to  invent  and  SBCs  drive  to  deliver  have  come  together  to  create  the  most 
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NetPro  offers  protection  for  Active  Directory 


BY  JOHN  FONTANA 

NetPro  this  week  plans  to  upgrade  its  directory  man¬ 
agement  tools  to  help  customers  better  protect  their  envi¬ 
ronments  from  unplanned  or  malicious  changes. 

The  company  is  set  to  ship  Directory  Lockdown  4.0  with 
new  controls  to  protect  a  directory’s  configuration  and 
schema  settings  from  being  altered  on  Windows  domain 
controllers  where  Microsoft’s  Active  Directory  runs.  The 
software  also  features  a  notification  system  that  signals  all 
attempted  changes  to  IT  executives,  a  customizable  list  of 
permitted  changes  and  a  new  console  interface. 

As  Active  Directory  has  found  its  legs  in  corporate  net¬ 
works,  administrators  are  discovering  certain  deficiencies 
with  the  software,such  as  a  feature  that  lets  administrators 
escalate  their  rights  and  perform  potentially  damaging 
changes. 

“Because  of  compliance  regulations  a  lot  of  the  security 
auditors  are  paying  attention  to  Active  Directory^’  says 
John  Enck,an  analyst  with  Gartner.’And  it  is  really  coming 


up  with  deficits  in  auditing,  change  management,  compli¬ 
ance,  the  ability  to  lock  it  down,  ability  to  delegate.  The 
limitations  have  always  been  there,  but  all  of  a  sudden 
there  is  a  lot  more  attention  on  them.” 

Microsoft  plans  to  begin  closing  those  gaps  with  the 
release  of  Longhorn  Server  by  including  the  ability  to 
read  only  domain  controllers.  But  the  software  is  not  due 
until  2007  if  Microsoft  stays  on  track  with  the  server. 

With  previous  versions  of  Lockdown,  NetPro  prevented 
changes  from  replicating,  but  the  4.0  version  takes  a  more 
proactive  approach  by  blocking  the  changes  from  occur¬ 
ring,  says  Richard  Hoey,  product  manager  for  Lockdown. 

“Now  we  are  analyzing  the  changes  before  they  even 
hit,”  Hoey  says. 

Lockdown,  which  competes  with  similar  change  man¬ 
agement  software  from  NetlQ  and  Quest,  is  preconfigured 
to  prevent  any  change  to  Active  Directory’s  configuration 
or  schema  naming  context  (SNC). Those  two  areas  of  the 
directory  contain  all  the  configuration  data  for  the  Active 


Directory  infrastructure,  such  as  definition  of  a  site. 
Typically  that  information  does  not  change  frequently.The 
domain  SNC  contains  the  user  data,  and  NetPro  plans  to 
protect  that  SNC  with  technology  slated  for  inclusion  in  its 
SecurityManager  product  later  this  year. 

Once  Lockdown  is  installed,  users  can  craft  their  own 
customized  list  of  allowed  changes.  Any  other  changes 
are  blocked.The  software  also  includes  a  notification  sys¬ 
tem  that  alerts  IT  executives  and  records  the  who,  what, 
when  and  where  of  the  attempted  change. 

Lockdown  runs  using  a  series  of  agents  installed  on 
domain  controllers.  A  client,  which  can  be  run  as  a  thin- 
client  terminal  server  interface  or  installed  on  a  desktop, 
collects  the  monitoring  information  from  each  client.The 
agents  feature  NetPro’s  anti-tamper  technology  to  protect 
their  integrity  The  client  interface  has  been  expanded  to 
include  such  features  as  hot  alerts  that  users  can  click  on 
and  get  more  detailed  information. 

Lockdown  is  available  now  and  is  priced  at  $6  per  user.B 


Start-up  offers  tool 
for  security  analysis 


BY  ELLEN  MESSMER 

Start-up  Remnant  Labs  has  announced  a 
system-log  analysis  tool  that  aggregates  log 
data  from  firewalls,  intrusion-detection  sys¬ 
tems  and  other  sources  to  alert  managers 
about  network  security  lapses. 

The  Universal  Log  Profiler  runs  on  a  PC 
or  workstation  and  is  intended  as  an  alarm 
system  to  notify  managers  of  violations  in 
security  policy,  the  company  says. 

“Log  files  contain  valuable  information 
about  the  configuration  of  networks,”  says 
Eric  Lin,  CTO  and  co-founder  of  Remnant 
Labs. 

He  says  the  purpose  of  the  Universal  Log 
Profiler  is  to  immediately  notify  network 
managers  of  security  violations,  such  as 


Profile;  Remnant  Labs 


Location: 

San  Francisco 

Employees: 

20 

Founded: 

2002  by  CEO  Les  Hribar  and 
CTO  Eric  Lin.  Both  come  from 
security  vendor  Niksun. 

Funding: 

$1  million  in  angel  investor 
funding. 

Product: 

Universal  Log  Profiler,  which 
aggregates  and  analyzes  log 
data  for  security  purposes. 

unauthorized  open  ports,  IP  addresses 
from  banned  sites  or  use  of  a  machine  in 
off  hours. 

Before  starting  Remnant  Labs,  Lin  was 
the  technical  sales  and  development  man¬ 


ager  at  Niksun,  which  makes  the  Net- 
Detector  analysis  tool.  He  says  the 
Universal  Log  Profiler  can  receive  log- 
analysis  data  from  firewalls,  IDSes  and 
other  gear  through  manual  or  automated 
transfer  on  a  scheduled  basis. 

The  Universal  Log  Profiler  can  accept 
and  analyze  log  data  from  firewalls 
made  by  Cisco,  Netscreen,  Check  Point, 
Secure  Computing  and  Nortel,  as  well  as 
wireless  routers  from  Linksys,  Netgear 
and  D-Link. 

IDSes  supported  by  Remnant  Labs’  prod¬ 
uct  include  open  source  Snort  as  well  as 
commercial  products  from  Cisco,  Internet 
Security  Systems,  the  Niksun  NetDetector 
and  the  Nortel  IDS. 

Servers  supported  include  Windows  2000 
and  XP  Linux,  Solaris,  FreeBSD,  NetBSD, 
OpenBSD  and  the  HP  Unix  system  logs. 

Intrusion  prevention  on  the  way 

The  Universal  Log  Profiler  doesn’t  sup¬ 
port  any  type  of  intrusion-prevention  sys¬ 
tem  but  that  is  planned  for  future  versions 
of  the  product,  says  Les  Hribar,  Remnant 
Labs  CEO  and  co-founder,  who  worked  at 
Niksun  as  senior  vice  president  of  sales. 

Remnant  Labs  says  it  has  about  a 
dozen  customers,  including  shipping 
and  warehouse  firm  Rapid  Freightways, 
in  Santa  Fe  Springs,  Calif.  Hribar  and  Lin 
say  their  log-analysis  product  ships  with 
policy  templates  to  analyze  about  40 
types  of  security  violations,  and  new 
ones  can  be  added  to  reflect  corporate 
requirements. 

The  Universal  Log  Profiler  costs  $8,500 
with  support  for  10  devices.  ■ 


Branch 

continued  from  page  17 

box  device.  “Juniper  has  not  announced  anything,  but  there  are  rumors  flying 
around,  including  sightings  of  experimental  boxes  that  have  a  combination  of  the 
Juniper  J-series  router  and  the  NetScreen  firewall  in  one  box,”Colding  says. 

Juniper  says  it  doesn’t  comment  on  future  product  development. 

Cisco’s  ISR  gear  stands  out  not  only  for  its  popularity  but  also  for  its  premium  price. 
ISRs  cost  30%  to  40%  more  than  most  of  the  competitors’  gear,  Colding  says.  For 
instance,  a  Cisco  3825  costs  $10,500  to  $16,600,  while  a  Tasman  (Nortel)  3120  costs 
$6,400  to  $12,900.  But  for  the  lower  price,  customers  also  get  fewer  feature  options. 
The  Tasman  box  has  no  IP  PBX  support,  while  the  Cisco  3825  supports  Cisco’s  IP  Call 
Manager  Express  for  local  call  processing. 

A  strength  of  these  devices  is  that  they  are  modular,  letting  customers  add  fea¬ 
tures  as  they  need  them.  For  example,  the  UK.  financial  firm  Close  Motor  Finance 
uses  NetDevices  SC  equipment  as  a  branch-office  router  at  its  disaster  recovery 
site  in  Peterborough,  England.  But  because  the  gear  also  supports  security  features. 
Close  Motor  may  roll  it  out  in  some  of  the  22  branch  offices  its  IT  department  sup¬ 
ports.  This  would  be  in  place  of  separate  Cisco  routers  and  Fortinet  security 
devices. 

“It  was  never  economically  feasible  to  have  a  member  of  my  IT  team  based  in  the 
branches,”  says  Dave  Coleman,  head  of  IT  for  Close  Motor,  who  has  eight  IT  staffers. 
“So  it  is  important  that  we  have  as  few  maintenance  and  configuration  issues  as  pos¬ 
sible.”  Having  fewer  devices  in  each  branch  translates  into  fewer  maintenance  and 
configuration  problems,  he  says. ' 

Adequate  branch  staffing  is  becoming  a  more  common  problem  as  businesses 
consolidate  their  servers,  bringing  them  in  from  branch  offices  to  central  data  farms, 
Colding  says.  As  servers  move  out  of  branches,so  do  IT  workers  who  handle  the  rest 
of  the  local  network. 

Close  Motor  also  is  considering  a  switch  to  VoIP  in  its  branch  offices  very  soon,says 
Rob  Tomlinson,  technical  director  for  Global  20,  the  technical  support  company 
Close  Motor  uses  to  outsource  some  maintenance  of  its  network.  He  says  he  likes  the 
modular  design  of  the  NetDevices  operating  software  that  supports  upgrades  of  the 
VoIP  software  without  affecting  the  operation  of  other  functions  on  the  device. “You 
can  restart  individual  modules  without  having  to  reboot  and  lose  the  whole 
machine,”  he  says. 

The  future  of  these  devices  lies  in  how  many  features  they  come  to  support  over 
time.  If  Juniper  gets  into  the  field  it  could  bring  about  immediate  changes  by  adding 
what  is  recognized  as  a  world-class  firewall  (NetScreen)  and  possibly  adding  WAN 
optimization,  technology  the  company  acquired  when  it  bought  Peribit;  last  year, 
Golding  says. 

The  one  factor  nobody  can  be  sure  of  is  how  long  this  gear  can  remain  trouble- 
free  —  an  important  characteristic  for  customers.“One  thing  about  branch-in-a-box 
devices  is  they’re  designed  to  sit  out  in  a  branch  for  three,  four,  five  years,  preferably 
without  somebody  touching  them,”  Golding  says.“You’Il  have  to  put  them  out  there 
for  a  few  years  and  find  out.”H 


Why  maintain 
separate  SAN 
and  NAS  systems 
when  you  can 
consolidate  both. 


One  system,  multiple  choices.  The  Pillar  Axiom™  enterprise 
storage  system  enables  SAN,  NAS,  or  both  in  a  single  storage 
environment  —  all  managed  through  one  powerful  user  interface. 
The  Pillar  Akxiom  lets  you  add  performance  and  capacity  up  to 
300  TB  per  system,  without  multiple  software  license  fees.  And 
because  it's  priced  lower  than  what  many  companies  pay  just  to 
maintain  their  storage  systems.  Pillar  is  the  alternative  you've 
been  looking  for. 

To  learn  how  Pillar  is  giving  customers  a  better  choice  for 
networked  storage,  schedule  a  no-obligation  half-hour  briefing. 
Call  1-877-252-3706  orvisitwww.pillardata.com/both 

Learn  the  truth  about  networked  storage. 


©  2006  Pillar  Data  Systems  Inc.  All  rights  reserved.  Pillar  Data  Systems,  Pillar  Axiom, 
and  the  Pillar  logo  are  all  trademarks  of  Pillar  Data  Systems. 
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EMC  girds  for  grid  computing 


Alaststart 

EMC  has  already  bought  half  as  many  companies  or  technologies  this  year  as 


it  did  last  year. 

Company  Acquisition  date 

Amount 

Technology 

Axciom 

January  2006 

S30  million 

Business-intelligence  middleware  for  marketir 

Intemosis 

January  2006 

Not  disclosed 

Microsoft  service  and  support  provider 

Acartus 

October  2005 

Not  disclosed 

Data  archiving  software 

Captiva 

October  2005 

$275  million 

Converter  of  paper  documents  to  digital 

Maranti 

August  2005 

About  85  million 

Intelligent  Fibre  Channel  switch 

Rainfinity 

August  2005 

$100  million 

NAS  aggregation  appliance 

BY  DENI  CONNOR 

Quietly  EMC  has  been  integrating  grid 
into  its  technology  strategy  and  product 
portfolio  for  months,  but  the  company  start¬ 
ed  to  make  some  noise  about  it  earlier  this 
month  with  a  $30  million  buyout  of  mid¬ 
dleware  technology  from  Acxiom. 

Acxiom  will  continue  to  use  the  technol¬ 
ogy  to  power  its  managed  information  ser¬ 
vice,  which  it  will  develop  further  and  mar- 


■  CA  has  announced  a  reseller 
agreement  with  StoreAge  Net¬ 
working  Technologies  to  beef  up  the 
virtualization  and  data-protection 
capabilities  of  its  BrightStor  storage- 
management  software  suite.  The 
pact  enables  CA  to  fill  a  hole  in  its 
storage-area  network  product  port¬ 
folio,  according  to  Eric  Pitcher,  vice 
president,  product  management  for 
BrightStor  at  CA.  Under  the  terms  of 
the  nonexclusive  agreement,  CA  is  to 
resell  StoreAge's  cross-platform 
Storage  Virtualization  Manager  appli¬ 
ance  and  its  family  of  Multi  data-pro¬ 
tection  software  with  BrightStor.  CA 
will  offer  StoreAge’s  SVM  as  a 
stand-alone  product  or  bundled  with 
BrightStor,  Pitcher  says. 

■  Data-migration  vendor  PlateSpin 
last  week  added  support  for  Micro¬ 
soft's  Virtual  Server  2005  Release  2 
and  Symantec's  LiveState  6.0  to  its 
PowerConvert  software.  The  compa¬ 
ny’s  technology  supports  migration 
of  data,  applications  and  operating 
systems  in  physical,  virtual,  blade  or 
mixed  environments.  The  software  is 
used  for  server  consolidation,  disas¬ 
ter  recovery,  hardware  migrations 
and  data-center  optimization  and 
relocation.  Version  5.2  of  Power- 
Convert  also  features  support  for 
multi-subnet  and  full  duplex  net¬ 
works,  new  server-discovery  tools 
and  error  reporting.  PowerConvert 
5.2  is  available  in  three  editions: 
Universal,  Consolidation  and 
Recovery. 


ket  with  EMC.  But  Acxiom,  which  has  been 
around  since  1969  known  by  other  names, 
also  will  work  with  EMC  to  piece  together  a 
hardware  and  software  bundle  that  cus¬ 
tomers  can  use  to  better  manage  their  data 
by  tapping  the  power  of  computer  grids. 

The  buyout  of  Acxiom  technology  is  not 
EMC’s  first  effort  to  bolster  its  grid  expertise. 
It  has  gathered  expertise  in  grids  with  the 
year-ago  hiring  of  Ian  Baird,  CTO  for  Grid 
and  Utility  Computing  Solutions  (he  had 
been  with  Platform  Computing)  and  the  hir¬ 
ing  in  2004  of  CTO  Jeff  Nick,  who  worked  on 
IBM’s  On-Demand  Initiative. 

“The  competitive  big  guys,  such  as  IBM, 
Sun  and  HP  have  already  made  plays  in  this 
space,  so  EMC  needed  to  be  able  to  have 
some  expertise  around  grid  computing,” 
says  Steve  Duplessie,  senior  analyst  for 
Enterprise  Storage  Group.  “With  [past  EMC 
acquisition]  VMware  creating  virtual  ma¬ 
chines,  the  next  step  is  for  EMC  to  offer  a  vir¬ 
tual  data  center” 

Acxiom’s  software  goes  beyond  VMware’s, 
says  Brian  Babineau,  an  analyst  for  Enter- 


BY  JOHN  COX 

LAS  VEGAS  —  Imagine  carrying  your 
office  applications  and  data  not  in  a  heavy 
notebook  computer  but  in  a  USB  flash 
drive  the  size  of  your  thumb. 

That’s  the  idea  behind  US’s  smart  drive, 
which  now  features  a  fuller  software  bun¬ 
dle,  as  announced  at  the  International 
Consumer  Electronics  Show  (CES)  earlier 
this  month  in  Las  Vegas.  The  additional 
software  adapted  for  the  U3  platform 
includes  two  office  suites,  from  Open- 
Office  and  ThinkFree,  the  Maxthon  Web 
browser  and  the  Yahoo  toolbar. 

Also  at  the  show,  SanDisk  and  PQI 
released  USB  drives  based  on  the  U3  plat- 
form.These  and  other  vendors  take  the  U3 
software,  a  subset  of  the  available  US-com¬ 
patible  applications  and  varying  amounts 
of  storage  capacity,  package  them  on  the 
thumb-sized  drive  and  brand  them  with 
the  U3  logo. 

U3,  in  Redwood  City,  Calif.,  was  founded 
as  a  joint  venture  in  late  2004  by  two  flash- 
drive  vendors,  SanDisk  and  M-Systems. 
Unveiled  at  CES  a  year  ago,  U3  and  its 


prise  Strategy  Group.  “It  can  be  used  to 
move  information  around  so  it  can  be  ana¬ 
lyzed  and  used  more  efficiently 
Under  their  agreement,  EMC  and  Acxiom 
say  they  will  develop  a  non-hosted  soft¬ 
ware/hardware  bundle  called  the  Business 
Information  Grid,  for  managing  data.  The 
firms  pledge  to  deliver  later  this  year  a  beta- 
product  bundle  that  includes  Smarts  work- 


partners  introduced  their  first  flock  of 
products  last  September. 

The  basic  idea  behind  the  smart  drive  is 
identical  to  Route I’s  MobiKey  (www.net 
workworld.com,  DocFinder:  1742),  re¬ 
leased  last  month. 

In  both  cases,  the  drive  is  plugged  into  an 
open  USB  port  on  a  Windows  PC  or  laptop. 
The  on-board  software  creates  a  protected 
space  in  which  to  run  the  stored  applica¬ 
tions,  entirely  separate  from  the  operating 
system  of  the  “host”  computer. 

U3  supports  Windows  XP  and  Windows 
2000.  When  the  drive  is  plugged  into  the  PC, 
a  logon  screen  appears.  Once  authenticat¬ 
ed,  the  user  sees  a  small  U3  GUI,  called  the 
Launchpad.  It’s  a  series  of  buttons  on  the 
left  for  the  applications  stored  on  the  drive, 
and  on  the  right  for  navigating  and  manag¬ 
ing  the  drive.  Applications  can  be  set  to 
load  automatically  once  the  logon  is  com¬ 
pleted.  One  button  links  to  the  Web-based 
U3  download  site,  where  applications  tai¬ 
lored  for  the  U3  platform  are  available. 

The  OpenOffice  suite  (DocFinder:  1743) 
is  the  open  source  version  of  the  original 


flow  automation  technology  virtualization, 
information  life-cycle  management  and 
grid-scheduling  software,  as  well  as  secure 
access  and  authentication  capabilities. 

EMC  has  announced  13  technology  or 
company  acquisitions  in  the  last  36 
months.  The  latest  was  announced  last 
week,  when  EMC  bought  Intemosis,  a  firm 
that  focuses  on  Microsoft  applications.  ■ 


applications  developed  by  StarOffice,  a 
German  company  acquired  by  Sun  in 
1999. 

ThinkFree  Office  (DocFinder:  1744)  is  a 
set  of  Microsoft  Officecompatible  desktop 
applications  written  in  Java. 

The  Maxthon  browser  (www.max 
thon.com)  repackages  Internet  Explorer 
and  adds  an  array  of  features,  including  a 
tabbed  user  interface;  built-in  RSS  feeds; 
and  blockers  for  ads,  pop-ups  and  ActiveX 
controls. 

SanDisk’s  new  U3-based  flash  drives  will 
range  from  512MB  to  4GB  and  priced  from 
$50  to  $300.  They  will  be  available  in 
March.  Four  programs  are  included:  Skype 
for  Voip  Avast  Antivirus  software,  SignUp 
Shield  password  vault  and  CruzerSync, 
which  synchronizes  with  Outlook  data. 

PQI’s  U3-based  CoolDrive  is  available  in 
512MB,  and  1GB  and  2GB  formats,  bun¬ 
dled  with  McAfee  Anti-Virus,  the  Migo  PC 
synchronization  application,  Thunderbird 
e-mail  and  the  Usafe  program  for  pass¬ 
word  protection.  Prices  were  not  dis¬ 
closed.  ■ 


Short  Takes 


More  office  apps  squeezed  into  USB  drives 
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Short  Takes 


E-comm  goes  contactless 

Banks,  credit  card  companies  and  retailers  jointly  embrace  wireless. 


■  Mercury  Interactive  signed  a 
definitive  agreement  to  acquire  pri¬ 
vately  held  Systinet  for  $105  million 
in  cash,  with  the  hopes  that  the  deal 
will  boost  its  position  in  the  fast¬ 
growing  service-oriented  architec¬ 
ture  software  and  services  market. 
Mercury  software  is  designed  to  let 
organizations  calibrate  their  IT  initia¬ 
tives  so  that  they  support  business 
activities;  Systinet's  software  lets 
organizations  keep  a  record  of  appli¬ 
cation  components  and  maintain 
control  over  them. 

■  EIQnetworks  last  week 
announced  it  has  enhanced  the 
security  and  compliance-manage¬ 
ment  capabilities  of  its  information 
and  event  management  software, 
Enterprise  Security  Analyzer 
Version  2.1.  The  software  gathers 
data  across  security  and  network 
devices  and  includes  compliance 
reports  custom-designed  to  meet 
multiple  regulatory  auditor  require¬ 
ments.  New  to  ESA  2.1  is  support 
for  eEye's  Retina  scanner,  Internet 
Security  Systems'  vulnerability 
scanners,  a  Cisco-specific  collection 
tool  Cisco  Security  Agent  and 
Cisco's  NetFlow  and  C-Flow  proto¬ 
cols.  Pricing  for  ESA  starts  at 
$8,000,  which  includes  a  license  for 
five  devices  and  five  hosts  (Win¬ 
dows,  Linux  or  Unix).  A  50-node 
enterprise  deployment  starts  at 
around  $25,000.  A  100- node  enter¬ 
prise  deployment  starts  at  around 
$50,000. 


BY  ANN  BEDNARZ 

Season  ticket  holders  can  now  use  a  cell 
phone  to  purchase  items  at  concession 
stands  in  Philips  Arena,  home  of  the  NHL’s 
Atlanta  Thrashers  and  the  NBAs  Atlanta 
Hawks.  With  the  right  gear  in  place,  all  a 
patron  has  to  do  is  wave  a  phone  at  a 
transaction  terminal,  and  the  sale  goes 
through. 

Contactless  payments  are  creating  a 
buzz  in  the  retail  world.  The  technology 


lets  consumers  make  purchases  without 
establishing  a  physical  connection 
between  the  payment  device  —  plastic 
card,  key  fob  or  mobile  phone  —  and  the 
point-of-sale  (POS)  terminal.  Account 
information  is  encrypted  and  transmitted 
wirelessly  between  the  payment  device, 
which  contains  an  embedded  smart  chip 
and  antenna,  and  the  reader. 

Early  adopters  are  deploying  contactless 
terminals  to  simplify  payment  processes 


in  settings  with  high  volumes  of  low-cost 
transactions,  such  as  gas  stations,  conve¬ 
nience  stores,  fast-food  restaurants  and 
sporting  arenas.  In  these  places,  cash  trans¬ 
actions  are  often  the  norm. 

That  may  change  as  the  contactless  pay¬ 
ment  industry  grows. 

“Contactless  payments  make  the  pay¬ 
ment  process  easier  and  more  convenient 
for  consumers,  who  see  benefits  of  shorter 
See  Commerce,  page  24 


Wave-and-go  shopping 


Contactless  payment  technology  lets  consumers  make  purchases  or  download 
content  with  the  wave  (or  tap)  of  a  plastic  card,  key  fob  or  mobile  phone. 


Consumer  devices 


Banks,  service  providers  and 
chipmakers  embed  smart  chips 
in  consumer  devices  to 
manage,  store  and  provide 
access  to  customer  account 
and  transaction  data. 
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The  contactless  reader  receives  encrypted 
payment  information  and  passes  it  to  the 
retailer's  POS  application  and  back  end. 


Payment  processing 
provider 
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Bank 


Retailers  automatically  charge  contactless 
payment  transactions  to  users  via  the 
same  network  that  processes  traditional 
credit  card  transactions. 


Microsoft  wins  over  retailer  Tai^et 


■  Adobe  last  week  acquired  the 
FileLine  Digital  Rights 
Management  division  of 
Navisware,  and  expects  to  add  the 
technology  to  its  LiveCycle  Policy 
Server  this  fall.  The  software  allows 
companies  to  control  who  can 
access  documents  saved  in  PDF, 
Microsoft  Office  and  CAD  formats 
as  well  as  how  and  when  they  get 
access.  In  addition,  the  software 
creates  an  audit  log  of  who  has 
opened  documents.  Terms  of  the 
deal  were  not  disclosed  and  pricing 
was  not  announced. 


BY  ELIZABETH  MONTALBANO, 

IDG  NEWS  SERVICE 

Microsoft  last  week  unveiled  a  deal  to  out¬ 
fit  Target  retail  stores  in  the  United  States 
with  server,  database  and  development  soft¬ 
ware  that  will  run  all  areas  of  store  opera¬ 
tions. 

Under  the  terms  of  the  deal,  which  is  part 
of  Microsoft's  Smarter  Retailing  Initiative, 
Target  will  migrate  its  1,400  stores  in  47 
states  from  its  current  mishmash  of  legacy 
systems  to  Microsoft  infrastructure,  includ¬ 
ing  Microsoft  .Net  Framework  2.0, Windows 
Server  2003  and  Microsoft  SQL  Server  2005, 
according  to  Tom  Litchford,  director  for 
Microsoft’s  retail  and  hospitality  industry 
unit. 


Minneapolis-based  Target  currently  uses 
Microsoft  software  and  Unix  technology  to 
run  point-of-sale,  back-office,  inventory  cash 
management  and  shelf-audit  applications; 
the  migration  to  a  Microsoft  environment 
began  late  last  year  with  Microsoft  and 
Target  working  together  on  the  project, 
Litchford  says.  The  companies  expect  to 
deploy  the  new  technology  in  phases 
through  the  end  of  2009  or  early  2010,  he 
adds. 

Lena  Michaud,  a  Target  spokeswoman, 
confirmed  that  the  company’s  US.  retail 
stores  are  in  the  process  of  a  migration  to  a 
Windows/.Net  infrastructure,  but  she  says 
that  the  company  can’t  disclose  further 
information. 


Microsoft  launched  the  Smarter  Retailing 
Initiative  two  years  ago  this  week  on  the 
advice  of  its  partner  and  customer  advisory 
board,  which  recognized  a  significant 
opportunity  to  help  companies  in  the  retail 
sector  migrate  from  legacy  systems  to  Web- 
services-based  technologies,  Litchford  says. 
Microsoft’s  partners  said  they  did  not  know 
how  to  target  retailers  specifically  and 
asked  for  help  from  the  software  company, 
he  says. 

Microsoft  worked  on  the  initiative  for  18 
months,  coming  up  with  what  Litchford 
describes  as  a  “prescriptive  architecture’’ for 
how  independent  software  vendors  could 
provide  their  applications  on  top  of 
Microsoft  software  for  retail  companies.  ■ 
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Blocking  the  power  of  the  Internet 


m  INSIDER 
Scott  Bradner 


Tlie  Internet  succeeded  because 
no  one  in  the  traditional  telecom 
industry  believed  in  its  underlying 
technology  or  its  design  philoso¬ 
phy  They  still  do  not,  but  are  being 
backed  into  a  corner,  and  in 
response  are  trying  to  change  the 
Internet  into  something  that  they 
can  better  control. 

Executives  from  AT&T,  which 
was  the  U.S.  telecom  industry  at 
the  time,  were  present  at  the  first 
major  demo  of  the  ARPANet  in 
1972. The  ARPANet,  like  its  succes¬ 


sor  the  Internet,  was  a  connec¬ 
tionless  packet-based  network  — 
a  technology  that  few  in  AT&T 
believed  would  ever  be  useful. 
According  to  Ethernet  developer 
Bob  Metcalfe,  the  executives  were 
pleased  when  the  demo  crashed. 
Two  years  later  AT&T  turned 
down  the  offer  to  run  the  same 
ARPANet.  A  few  years  later  the 
International  Organization  for 
Standardization,  one  of  the  major 
standards-development  organiza¬ 
tions  for  the  traditional  telephone 
industry  turned  down  a  formal 
offer  to  adopt  TCP/IP  as  basis  for 
future  telecommunications. 

AT&T  was  happy  to  sell  wires  to 
the  silly  geeks  building  these 
packet-based  networks,  but  saw 
no  future  in  such  technology  This 
attitude  meant  that  the  Internet 
was  left  alone  by  the  telecommu¬ 


nications  industry  It  also  was 
largely  left  alone  by  U.S.  regulators 
—  until  quite  recently 
This  neglect  meant  that  devel¬ 
opers  were  free  to  experiment 
with  new  applications  over  the 
Internet.  There  was  no  carrier 
telling  users  what  applications 
they  could  or  could  not  run,  no 
carrier  that  you  had  to  get  permis¬ 
sion  from  before  you  were  able  to 
deploy  a  new  Internet-based  ser¬ 
vice.  The  Internet  was  just  a  col¬ 
lection  of  wires,  most  of  which 
were  bought  from  the  telephone 
companies  by  ISPs,  who  paid 
what  the  telephone  companies 
determined  was  a  reasonable  fee 
for  use  of  the  wires.The  cost  of  the 
wire  did  not  depend  on  what 
Internet  services  were  running 
over  it,  just  like  the  cost  of  your  car 
does  not  depend  on  whom  you 


transport  in  it.  ISP  customers  paid 
the  phone  companies  for  the 
wires  and  paid  ISPs  for  Internet 
service  based  on  the  size  of  the 
wire  they  were  using  —  every¬ 
thing  was  simple. 

But  some  of  the  telephone  com¬ 
panies  want  to  change  this.  They 
want  to  charge  Google  and  others 
to  send  packets  to  you.  The  fact 
that  you  have  already  paid  for  the 
wire  and  the  Internet  service  that 
Google  is  using  to  send  those 
packets  is  ignored.  The  phone 
companies  currently  say  that  they 
want  to  let  Google  pay  more  to 
make  Google’s  packets  get  to  you 
“better”  but  this  is  the  blunt  end  of 
the  camel  well  into  the  tent. 

The  only  way  for  the  telephone 
company  to  get  Google  to  agree 
to  pay  again  for  what  its  cus¬ 
tomers  have  already  paid  for  is  to 


threaten,  directly  or  indirectly  that 
if  Google  does  not  pay  its  packets 
will  not  get  to  its  customers.  It’s  a 
very  small  step  for  the  telephone 
company  to  refuse  to  transport  — 
or  to  badly  impair  —  traffic  from 
companies  or  people  that  have 
not  paid  the  phone  company  an 
extra  fee.  It  would  be  rather  hard 
to  innovate  under  these  rules.  In 
most  situations  this  is  called  extor¬ 
tion,  but  the  phone  companies 
are  asking  us  to  believe  that  it’s  a 
service  improvement. 

Disclaimer:  Extortion  is  not  a 
normal  Harvard  course  topic  (as 
far  as  I  can  tell), so  the  above  view 
is  my  own. 

Bradner  is  a  consultant  with 
Harvard  University's  University 
Information  Systems.  He  can  be 
reached  at  sob@sobco.com. 


Commerce 

continued  from  page  23 

lines,  cash-on-hand  issue  elimination  and 
faster  moving  queues,”  says  analyst  Erik 
Michielsen,  who  is  director  of  RFID  and 
ubiquitous  networks  at  ABI  Research. 

“Merchants  benefit  by  increased  average 
bill  size,  greater  throughput,  less  cash  han¬ 
dling  and  increased  return  visits,”  he 
adds.“Card  issuers  and  associations  bene¬ 
fit  by  tapping  into  the  cash  market  and 
increasing  top-of-wallet  positioning 
against  competitors.” 

With  much  to  gain,  merchants  and  card 
issuers  have  been  working  together  with 
vendors  that  supply  POS  gear.  For  exam¬ 
ple,  the  project  now  in  its  pilot  phase  in 
Atlanta  required  cooperation  from  many 
parties,  including  Atlanta  Spirit  —  parent 
company  of  the  Hawks,  Thrashers  and 
Philips  Arena  —  Cingular  Wireless, 
JPMorgan  Chase,  Nokia,  Philips,  Visa  USA 
and  Vivotech. 

During  the  pilot,  season  ticket  holders 
can  make  contactless  payments  at  con¬ 
cession  stands  and  access  mobile  con¬ 
tent.  At  checkout,  patrons  hold  their  phone 
near  a  secure  reader,  which  receives  the 
credit  card  payment  information  and 
processes  the  transaction  in  the  same  way 
it  handles  other  card  transactions. 

To  participate  in  the  pilot, patrons  need  a 
Visa  credit  account  issued  by  Chase,  a 
Cingular  Wireless  account  and  a  Nokia 
3220  mobile  phone  outfitted  with  a  semi¬ 
conductor  chip  from  Philips  and  POS  soft¬ 
ware  from  Vivotech.  These  strict  require¬ 
ments  limit  participation. That’s  one  of  the 
reasons  Bob  Egan,  director  of  emerging 
technologies  at  TowerGroup,  calls  the 
Philips  Arena  project  in  Atlanta  “a  science 


experiment.” 

For  the  most  part,  the  technology  is  still 
in  its  infancy  There  have  been  some  high¬ 
ly  publicized  projects  in  Europe  and  Asia, 
and  now  projects  are  getting  attention  in 
the  United  States,  Egan  says.  It’s  a  complex 
undertaking,  and  people  are  trying  to  test 
the  waters  with  some  minimum  invest¬ 
ment,  he  adds.  “Contactless  payment  sys¬ 
tems  on  credit  cards  and  on  mobile 
phones  are  going  to  be  a  significant 
growth  hormone  to  accelerate  the  veloci¬ 
ty  of  money”  Egan  says.  But  it  won’t  happen 
overnight. 

The  challenge  is  combining  two  emerg¬ 
ing  industries  —  contactless  payments 
and  mobile  phone  systems  —  in  a  bene¬ 
ficial  way.  Collaboration  is  critical. 

“Everybody  needs  to  get  around  the 
table  and  understand  their  roles  and 
responsibilities.  They  need  to  be  very 
objective  and  heads-up  about  under¬ 
standing  the  complexities  of  implementa¬ 
tion  and  integration,  and  put  some  good 
policies  in  place  around  execution  gov¬ 
ernance  —  understanding  who’s  doing 
what,  when,  where  and  how^  Egan  says. 
Risk  management  becomes  a  really  big 
deal,  he  adds. 

Search  for  standards 

Despite  the  hurdles,  the  consumer  pay¬ 
ment  systems  industry’s  Nilson  Report  esti¬ 
mated  last  May  that  there  will  be  between 
15  million  and  20  million  Visa  and 
MasterCard  contactless  chip  cards  in  the 
market  by  the  end  of  2006.  Card  issuers 
have  launched  several  high-profile  pro¬ 
jects  in  the  last  12  months;  Last  May  Chase 
announced  its  “blink”  contactless  con¬ 
sumer  cards,  based  on  the  Visa  and 
MasterCard  contactless  payment  tech¬ 


nologies,  which  it’s  rolling  out  in  Atlanta 
and  Denver.  Last  August  Citibank 
announced  its  plan  to  roll  out  2.5  million 
contactless  MasterCard  debit  cards  and 
key  fobs  across  the  country.  Last  fall, MBNA 
started  issuing  MasterCard  cards  that  can 
be  used  in  Seattle’s  Qwest  Field  and 
Baltimore’s  M&T  Bank  Stadium.  In  addi¬ 
tion,  American  Express  has  begun  issuing 
Blue  Cards  with  contactless  payment  tech¬ 
nology  nationwide. 

IT  vendors  working  on  contactless  POS 
options  include  Hypercom,  Ingenico,  On 
Track  Innovations  and  Vivotech.  Among 
the  retailers  that  have  been  experiment¬ 
ing  with  contactless  payments  are  7- 
Eleven,  AMC  Theaters,  CVS,  McDonald’s, 
Regal  Cinemas,  Ritz  Camera,  Subway  and 
Wawa. 

From  the  beginning,  the  major  credit 
card  companies  have  been  developing 
their  own  services  for  processing  contact¬ 
less  payments:  American  Express  has  its 
ExpressPay  MasterCard  International  has 
PayPass  and  Visa  has  its  Contactless  prod¬ 
ucts.  Each  is  based  on  ISO/IEC  14443,  the 
international  standard  for  contactless 
smart  chip  technology. 

Lately  however,  these  companies  have 
been  working  to  share  technologies.  Last 
March,  for  example,  MasterCard  and  Visa 
announced  an  agreement  to  share  a  com¬ 
mon  communications  protocol  and  asso¬ 
ciated  testing  requirements  for  contactless 
payments.  The  protocol  is  based  on 
MasterCard’s  PayPass  ISO/IEC  14443  imple¬ 
mentation  specification,  says  Cathleen 
Conforti, senior  vice  president  and  PayPass 
global  product  manager  at  MasterCard. 
“The  use  of  a  common  protocol  for  con¬ 
ducting  contactless  payments  will  enable 
vendors  to  streamline  product  develop¬ 


ment  and  testing,  leading  to  reduced 
implementation  costs  and  faster  time  to 
market  for  financial  institutions  and  mer¬ 
chants,”  Conforti  says.  As  standards 
emerge,  retailers  will  be  able  buy  POS  gear 
knowing  it  will  be  able  to  handle  contact¬ 
less  payment  transactions  for  multiple 
credit-card  providers. Vendors  will  have  to 
develop  and  support  only  one  communi¬ 
cations  specification,  making  the  manu¬ 
facturing  process  easier  and  less  costlyshe 
adds. 

At  the  same  time,  MasterCard,  Microsoft, 
Motorola,  Nokia,  Sony, Visa  and  other  com¬ 
panies  are  backing  a  wireless  communi¬ 
cations  protocol  called  Near  Field 
Communication  (NFC).  NFC  technology  is 
based  on  or  compatible  with  existing  ISO 
standards,  including  ISO/lEC  14443.  One 
hallmark  of  NFC  is  its  short  range  —  a  cou¬ 
ple  of  inches. 

That’s  one  way  in  which  contactless  pay¬ 
ment  devices  differ  from  radio  frequency 
identification  (RFID)  tags  used  in  supply- 
chain  settings.  For  security  reasons  con¬ 
tactless  payment  devices  are  designed  to 
operate  close  to  a  POS  terminal.  RIFD  tags 
have  a  less-restricted  read  area  and  typi¬ 
cally  contain  only  an  item  identification 
number  that’s  linked  via  back-end  systems 
to  more-detailed  supply-chain  data.  In  the 
big  picture,  it’s  not  just  purchases  that  the 
NFC  network  will  enable;  For  example, 
backers  envision  that  consumers  will  be 
able  to  download  a  movie  or  song  clip  by 
holding  an  NFC-enabled  phone  in  front  of 
a  billboard  or  poster  with  an  embedded 
NFC  tag.  As  such  deployments  take  off, 
more  than  50%  of  mobile  handsets  will 
incorporate  NFC  chips  by  2010  to  enable 
short-range  transactions,  ABI  Research 
predicts.  ■ 
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IBM  WEBSPHERE  PRESENTS 
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TRUE  ESB  GOES  HEAD-TO-HEAD  WITH  RAWPANT  INTERFACES 


Fanilli:  m  NEW  MD  ENHANCED  WEtSTHEREEStPIIODilCTS 
ROBUST  ★  EASY  TO  USE  »  AFEORDABU 

OPEN  STANDARDS  FOR  VIRTUALLY  UMTTLESS  SECURE  AND  SCALABLE  INTEGRATION 

PLUS; 
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POWER  YOUR  S.aA.  WITH  TRUE  ESB.  POWER  YOUR  BUSINESS  WITH  WEBSE»HERE. 

nDLEWARL  POWERFUL.  PROVEN.  FIGHT  BACK  AT  WWW.IBM.GOM/MIODLEWARE/APPS^^ 
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YOUR  NETWORK  APPLICATION 
IS  A  CHEETAH. 

ON  EIGHTEEN  CUPS  OF  COFFEE. 
ABOARD  A  ROCKET. 

IN  A  HURRY. 


OVERACHIEVE. 


F5  will  make  your  network  applications  scream  with  speed.  65%  faster  on 
average.  At  the  same  time,  ensuring  absolute  security  and  availability. 

The  F5  mission  is  to  make  your  applications  do  what  they  were  designed  to  do:  perform. 

More  than  9,000  organizations  around  the  world  overachieve  with  F5  Networks.  Can  yours? 

THE  WORLD  RUNS  BETTER  WITH  F5 

WWW.F5.COM 
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SPECm  FOCUS 

Better  management  through  best  practices 


BY  DENISE  DUBIE 

The  good  news  about  adopting  best  prac¬ 
tices  is  that  corporations  aren’t  limited  to 
one  method.  The  bad  news  is  that  compa¬ 
nies  will  most  likely  need  to  adopt  more 
than  one  best-practice  framework  —  or  at 
least  parts  of  many  —  if  they  want  a  com¬ 
plete,  effective  set  of  management  process 
guidelines. 

A  related  concern  is  that  when  network 
managers  realize  that  multiple  standards 
may  be  required  to  achieve  their  goals, 
they  may  become  overwhelmed  trying  to 
discern  the  differences  among  popular 
frameworks. 

Best-practice  frameworks  such  as  IT 
Infrastructure  Library  (ITIL)  and  Control 
Objectives  for  Information  and  Related 
Technology  (COBIT)  have  been  around 
for  years.  For  the  most  part,  these  frame¬ 
works  should  bring  consistency  and  effi¬ 
ciency  to  the  various  aspects  of  IT,  such 
as  application  development,  help  desk, 
network  operations,  security,  and  service 
delivery  and  support.  Compliance  with 
the  Sarbanes-Oxley  Act  and  numerous 
other  regulatory  standards  is  another 
obvious  benefit  —  and  is  often  the  impe¬ 
tus  for  IT  executives  to  start  looking  at 
process  frameworks. 

Other  —  and  perhaps  longer-term  — 
gains  are  the  cost  cuts  and  labor  reductions 
that  result  when  an  IT  shop  deploys 
processes  to  which  all  staff  members 
adhere.  Best-practice  nirvana  occurs  when 
IT  is  able  to  align  with  business  by  helping 
network  managers  translate  their  services 
into  business  terms  and  assign  a  business¬ 
relevant  priority  to  their  tasks. 

According  to  Forrester  Research,  best- 
practice  frameworks  will  see  broad  adop¬ 
tion  in  2006.  The  firm  suggests  that  in 
many  cases,  ITIL  and  COBIT  —  along  with 
the  Capability  Maturity  Model  (CMM)  and 
ISO  17799  —  should  be  adopted  in  con¬ 
cert.  ITIL  addresses  service  delivery  and 
support;  COBIT  covers  the  broadest  spec¬ 
trum  of  IT  governance;  CMM,  which  is 
used  frequently  by  application  develop¬ 
ers,  shows  how  IT  shops  rate  in  terms  of 
maturity  compared  with  best-known 
processes;  and  ISO  17799  proposes  securi¬ 
ty  management  measures. 

“Most  of  these  frameworks  are  not  mutu¬ 
ally  exclusive  and  are  most  effective  when 
used  in  combination  with  one  another^ 
says  Craig  Symons,  a  principal  analyst  with 
Forrester  in  a  report  released  this  month. 
"The  road  to  a  comprehensive  IT  gover¬ 
nance  framework  involves  understanding 


the  differences  among  the  frameworks  and 
when  to  apply  each  framework.” 

Which  frameworks  an  organization  starts 
with  depends  on  its  goals.  Many  industry 
experts  say  even  though  ITIL  is  quickest  to 
deliver  incremental  results,  COBIT  is  a  good 
place  to  start.  COBIT  can  help  IT  shops 
prove  they  are  performing  the  processes 
laid  out  in  the  other  frameworks,  as  it  is  a 
common  tool  for  auditors. 

“COBIT  is  focused  on  governance,  and  if 
you  are  a  higher-level  IT  manager  con¬ 
cerned  with  overall  corporate  governance, 
this  is  the  best  place  to  start,”  says  John 
Worthington,  an  independent  ITIL  consul¬ 
tant  based  in  Denville,  N.J.“If  you  are  purely 
focused  on  IT  and  have  a  specific  area  to 
control,  you  may  start  with  ITIL,  but  it’s  like¬ 


ly  the  two  initiatives  would  come  together 
eventually’ 

Brian  Childers,  an  independent  IT  service 
management  consultant  and  a  board  mem¬ 
ber  with  the  U.S.-based  IT  Service 
Management  Forum  (which  supports  ITIL 
standards),  adopted  COBIT  reluctantly  dur¬ 
ing  an  IT  process  implementation  at 
Earthlink,  a  previous  employer.  A  big  sup¬ 
porter  of  ITlL’s  tenets,  Childers  didn’t  want 
to  explore  the  possibility  of  linking  his 
process  plans  with  those  of  COBIT.  “I  was 
adamant  that  I  didn’t  want  COBIT,”  he  says. 
“But  there  was  a  gap  in  our  plans  to  roll  out 
two  ITIL  processes  —  change  and  release 
management  —  and  COBIT  addressed  the 
hole  because  it  provided  specific  audit 
guidelines  that  mapped  directly  to  what 
auditors  want.” 

He  says  that  Earthlink  was  able  to  sign  off 
on  its  Sarbox  compliance  in  September 
2004,  a  few  months  ahead  of  the  December 


2004  deadline,  because  the  combination  of 
ITIL  and  COBIT  helped  the  IT  staff  to  better 
define  and  then  prove  their  processes  were 
in  place.  “You  can  flat-out  copy  the  COBIT 
guidelines  and  be  golden,  because  that  is 
exactly  what  the  auditors  are  looking  for” 
he  says. 

Lenny  Monsour  reports  a  similar  scenario, 
in  which  the  use  of  one  framework  —  ITIL 
—  led  him  to  get  certified  in  another,  ISO 
9001,  a  standard  from  the  International 
Organization  for  Standardization  (ISO)  that 
defines  the  requirements  for  a  quality-man¬ 
agement  system.  Monsour,  product  man¬ 
agement  director  at  SunGard  in  Durham, 
N.C.,  started  to  put  ITIL’s  change  manage¬ 
ment  processes  in  place  about  18  months 
ago  and  found  that  by  also  rolling  out  an 


automation  platform  he  could  achieve  ISO 
compliance  as  well. 

“ISO  demands  pretty  intense  processes 
that  are  focused  on  quality  and  compli¬ 
ance,”  he  explains.  “ITIL  gives  you  a  loose 
guideline  as  to  how  to  do  change  manage¬ 
ment,  it’s  not  specific.But  with  ISO  9001, you 
have  to  have  your  processes  documented 
against  your  logs,  and  an  auditor  will  check 
those  against  each  otherJ’ 

Two  years  ago  Kent  Joshi  had  an  external 
consulting  firm  advise  him  to  put  best  prac¬ 
tices  in  place  to  govern  IT  operations  at 
Washington  Mutual  Bank  in  Los  Angeles. 
Joshi,  the  bank’s  IT  vice  president,soon  real¬ 
ized  the  suggested  processes,  which  laid 
out  many  fundamentals  Joshi  deems  criti¬ 
cal,  still  lacked  the  specific  processes  he 
would  need  to  synchronize  IT  services  with 
business  demands.  “We  realized  without  a 
strong  service-level  management  [SLM] 
process  in  place,  we  weren’t  instilling  prac¬ 


tices  that  addressed  ITs  interaction  with 
our  customers,”  he  says. 

Joshi  says  that  before  exploring  the 
SLM  guidelines,  which  ITIL  lays  out  at  a 
high  level,  his  organization  would  have 
multiple  IT  staff  people  contacting  cus¬ 
tomers,  suggesting  fixes  for  their  prob¬ 
lems.  But  without  well-defined  process¬ 
es,  the  IT  staff  would  provide  only  a 
piece  of  the  necessary  service  and  in  a 
manner  that  couldn’t  be  measured.  The 
business  unit  would  be  left  unsatisfied, 
and  the  IT  staff  would  be  left  “scratching 
their  heads”  as  to  how  their  efforts  didn’t 
achieve  the  goal,  he  says. 

“ITlLs  SLM  [process]  places  itself  between 
the  two  areas:  [It  expresses]  customer 
requirements  in  terms  the  business  under¬ 


stands  and  in  IT  terms  for  my  staff,”  he  says. 
“And  it  helps  you  to  figure  out  a  measurable 
way  to  prove  you  delivered  the  services.” 

Despite  the  known  benefits  of  frame¬ 
works,  network  managers  should  be  wary 
of  falling  victim  to  “standards  slaver^’  says 
Jon  Vromat,a  best-practice  consultant  with 
HP  in  Detroit. 

“IT  organizations  often  think  they  have  to 
take  it  all  on  at  once,  and  then  [they]  fail. 
Adopting  frameworks  is  more  like  eating  an 
elephant;  to  be  successful,you  have  to  do  it 
in  digestible  chunks,”  he  says. 

Referring  to  best-practice  frameworks  as 
alphabet  soup,Vromat  says  that  managers 
should  approach  process  adoption  in  three 
steps:  Start  with  a  framework,such  as  COBIT 
or  ITIL;  move  on  to  a  standard  that  can  be 
certified,  such  as  the  many  ISO  guidelines; 
then  perform  ongoing  improvements  that 
could  be  measured  by,  for  example,  CMM  or 
Six  Sigma.  ■ 


Best-practice  grab  bag 

Process  improvements  can  be  made  throughout  IT  departments,  and  experts  advise  IT  managers  to  mix  and  match 
best-practice  frameworks  to  address  an  organization's  unique  needs.  Here  is  a  sample  of  popular  frameworks: 


Best-practice  framework 

j  Origins 

Most  likely  adopted  by 

Promised  benefits 

Infonnation  Technology 
Infrastructure  Library 

British  government 

Service  support,  help  desk 
staff 

;  High-level  guidelines  to  start  developing  processes  for  IT 
■  service  support  and  delivery  across  an  enterprise. 

Control  Objectives  for 
Information  and  Related 
Technology 

Information  Systems  Audit  and 
Control  Association  and  IT 
Governance  Institute 

IT  management,  systems 
administrators,  internal  IT 
auditors 

1  Standards  and  guidelines  for  security  practices  and  financial 
controls,  which  sync  up  well  with  Sarbanes-Oxley  requirements. 

Capability  Maturity  Model 

Carnegie  Mellon  Software 
Engineering  Institute 

Application  development  team 

■  Process  improvements  such  as  change  and  release  management 
across  the  application  life  cycle,  from  development  to  production. 

IS0  17799 

British  Standards  institute  and  the 
International  Organization  for 
Standardization 

IT  security  managers 

Approach  to  security  management  across  an  organization  that 
;  includes  policies,  critical-asset  classification  and  risk 
management. 
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FDA  turns  to  Verizon  for  VoIP  rollout 

Cost  savings,  collaboration  determine  setup  for  new  Maryland  campus. 


Considering  a  VoIP  rollout? 

Glenn  Rogers,  deputy  CIO  of  the  Food  and  Drug  Administration,  offers  the 

following  advice: 

•  Choose  an  integrator  that  not  only  understands  VoIP  but  also  understands  how  to  integrate  it  with  your 
legacy  infrastructure. 

•  Make  sure  your  integrator  understands  how  to  build  in  redundancy. 

•  Get  management  buy-in  for  your  project  because  there  are  going  to  be  bumps  in  the  road.  The  FDA's  pilot 
users  included  the  CFO,  commissioner  and  key  stakeholders,  including  people  whose  Job  it  is  to  answer  phones 
and  set  up  conference  calls. 

•  Be  prepared  to  change  your  processes  and  procedures.  Your  data  and  telephony  staffs  have  to  talk. 
Consolidating  IT  staff  and  help  desk  is  a  big  part  of  being  able  to  successfully  support  this  environment. 

•  Plan  thoroughly.  The  FDA  knew  what  it  wanted  to  do  upfront  and  what  services  it  wanted  to  bring  on  campus 
before  it  brought  in  a  single  IP  phone. 


BY  CAROLYN  DUFFY  MARSAN 

If  you’re  planning  a  move  to  a  new  office 
building  and  wondering  what  type  of  net¬ 
work  infrastructure  to  build,  consider  the 
experience  of  the  U.S.  Food  and  Drug 
Administration. 

The  FDA  is  building  a  campus  in  Mont¬ 
gomery  County,  Md.,  which  will  house 
8,000  employees  in  18  new  buildings.  For 
its  White  Oak  Campus,  the  FDA  chose  a 
converged  IP  network,  with  VoIP  in  all 
offices  and  conference  rooms. 

The  FDA  selected  VoIP  because  it  will 
cost  less  money  to  move  employees  from 


Short  Takes 


■  AT&T  announced  last  week  that  it 
is  adding  a  number  of  bells  and  whis¬ 
tles  to  AT&T  BusinessDirect,  the 
company's  portal  for  customer  ser¬ 
vice  management  and  trouble  report¬ 
ing.  Among  the  new  attractions  are  a 
"click-to-chat"  feature  that  allows 
customers  to  chat  online  with  a 
human  being,  as  well  as  an  expan¬ 
sion  of  the  portal's  graphical  net¬ 
work  map  to  88  more  countries. 
BusinessDirect  has  been  an  impor¬ 
tant  component  of  the  company's  so- 
called  Concept  of  Zero  effort,  the 
crux  of  which  is  to  reduce  the  per¬ 
son-to-person  and  person-to-com- 
puter  steps  needed  to  make  things 
happen. 

■  Skype  Technologies  has  compiet 
ed  testing  the  latest  version  of  its 
Internet  telephony  software  with  a 
new  video  feature  and  is  now  en¬ 
couraging  users  to  download  it. 
Version  2.0  of  Skype's  widely  used 
VoIP  software  is  available  for  free.  It 
also  allows  users  to  organize  their 
contacts  by  creating  groups,  such  as 
colleagues,  friends  and  family,  and 
provides  new  buttons  to  display  their 
Skype  status  on  their  blog  or  Web 
page.  Currently,  the  software  is 
available  only  for  computers  running 
Windows  2000  or  XP.  The  new  video 
feature  requires  XP. 


one  location  to  another  as  they  complete 
projects.  The  agency  also  hopes  its  new 
network  will  foster  collaboration,  with  fea¬ 
tures  such  as  unified  messaging  and  desk¬ 
top  videoconferencing. 

“We  saw  that  VoIP  was  cost-effective  if 
you’re  building  a  new  building,’’ says  Glenn 
Rogers,  deputy  CIO.  “With  a  legacy  infra- 
structure,you  have  to  pull  the  cables  out  of 
the  building  and  redo  the  network.’’ 

The  FDA  will  spend  $25  million  in  eight 
years  to  build  out  the  VoIP  infrastructure. 
This  cost  includes  all  equipment  from  the 
VoIP  phones  back  to  the  wire  closets. 

“The  FDA  project  is  one  of  the  largerVolP 
projects  in  the  federal  government,”  says 
Ray  Bjorklund,  senior  vice  president  of 
Federal  Sources,  a  market  research  firm. 
“Many  agencies  have  pilot  projects.  But  I 
haven’t  heard  a  lot  in  the  government 
about  people  embracing  VoIP  yet  for  full 
agencies  because  of  the  security  risks  and 
the  operational  risks.” 

The  FDA  began  planning  its  White  Oak 
Campus  in  1998,  with  a  goal  of  encourag¬ 
ing  collaboration  on  a  consolidated  cam¬ 
pus.  Previously,  the  FDA  had  buildings 
scattered  around  the  Washington,  D.C., 
metropolitan  area. 


BY  CAROLYN  DUFFY  MARSAN 

ISPs  agree  that  the  big  news  of  2006  in 
their  market  segment  will  be  network  con¬ 
vergence.  The  idea  has  been  discussed  for 
years,  but  companies  are  finally  buying 
high-powered  IP  networks  that  can  handle 
data,  voice  and  video. 

“IP  convergence  is  happening  in  all  com¬ 
panies,  large  and  small,  global  and  domes- 
tic.They’re  all  looking  to  IP  to  add  value  to 
their  business,”  says  Mack  Treece,  president 
of  Equant  Americas.”!  see  this  trend  really 
taking  off  in  2006.” 

With  converged  networks  come  addition¬ 
al  managed  services  —  security,  messaging, 
collaboration  and  more  —  that  carriers 
hope  will  gain  popularity  in  the  months 
ahead. 

“You’ll  see  lots  of  add-on  services  for 
what  people  bought”  last  year,  predicts 
Rose  Klimovich,  vice  president  of  VPN  and 


The  FDAs  CIO  office  is  responsible  for 
the  data,  voice  and  video  services  for  the 
new  campus.  Rogers  says  he  and  his  staff 
had  several  goals. 

“It  had  to  be  state  of  the  art,  but  not  cut¬ 
ting  edge  or  bleeding  edge.  It  had  to  be 
something  that  would  carry  us  for  20  to  25 
years,”  Rogers  says.  “We  wanted  it  to  be 
adaptive,  so  we  wouldn’t  have  to  rip  it  out 
when  new  technologies  like  IFV6  come 
down  the  pike.  We  wanted  it  to  support 


Integrated  Networking  at  AT&T“So  for  VoIP 
and  video  over  IP  services,  now  we’ll  see 
videoconferencing  and  voice  conferenc¬ 
ing  over  the  Internet  become  bigger  as  we 
get  into  the  year^ 

Another  area  that’s  expected  to  grow  is 
managed  security  services  that  companies 
can  use  to  keep  their  converged  networks 
safe  from  attacks. 

“The  big  news  for  2006  will  be  around 
VoIP  and  the  security  impacts  of  that,”  says 
Chris  Sharp,  vice  president  of  MCI’s  NetSec 
Security  Services.’As  more  and  more  com¬ 
panies  adopt  open  systems,  VoIP  and  soft 
clients,  we’ll  start  to  see  a  lot  of  vulnerabili¬ 
ties  and  threats  in  that  area.” 

Carriers  also  predict  more  outsourcing 
as  companies  become  concerned  about 
the  growing  complexity  of  their  con¬ 
verged  networks. 

“I  see  in  2006  that  people  will  become 


agency  standards  and  conform  to  our 
architecture.  But  the  big  thing  was  to 
remove  IT  boundaries  within  the  different 
organizations  within  the  FDA.” 

The  FDAs  eight  organizations,  including 
the  Center  for  Drug  Evaluation  and  Re¬ 
search  and  the  Center  for  Devices  and 
Radiological  Health,  had  their  own  IT 
staffs  and  were  developing  and  supporting 
their  own  systems  and  applications.  In 

See  FDA,  page  32 


more  and  more  confident  about  outsourc¬ 
ing  network  security  to  a  company  like  us 
because  we  have  a  proven  track  record,” 
Sharp  says.  “They  can  get  more  features 
and  functionality  while  keeping  costs  low 
with  outsourcing.” 

Other  technologies  on  the  horizon  in¬ 
clude  IFV6,the  long-anticipated  upgrade  to 
the  Internet’s  main  communications  proto¬ 
col.  Equant  sees  IPv6  gaining  ground  in 
production  environments  in  Europe  by  the 
end  of  2006. 

“We  are  seeing  companies  begin  to  use 
IPv6  to  expand  the  reach  of  their  IP  infra¬ 
structures  into  any  piece  of  machinery  they 
have  or  to  add  value  via  wireless  monitoring 
so  they’re  able  to  make  sure  they  know  the 
locations  of  various  pieces  of  equipment,” 
Treece  says.  “We’ve  seen  some  innovative 
applications  being  created  that  will  be  in 
production  in  the  later  part  of  next  year’  ■ 


Banner  year  expected  for  convei^ence 
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A  final  look  back  at  '05  prognostications 


Johna  Till  Johnson 


Every  now  and  then,  even  we 
indu.stry  pundits  call  it  right  — 
or  so  it  seems.  Comparing  my 
2005  predictions  with  the  actual 
outcome,  here s  how  the  predic¬ 
tions  fared: 

2005  prediction:  The  telecom 
sector  rebounds. 

We’re  not  talking  about  a  repeat 
of  the  1990s  frenzy  —  think 
steady,  incremental  growth. 

According  to  JMP  Securities,  a 
leading  research  and  invest¬ 
ment  banking  firm,  the  telecom 
sector  grew  an  estimated  7%  last 


year,  and  US.  IT  spending  in 
general  was  up  around  10%. 

The  interesting  part  is  where 
the  growth  came  from.  Many 
bellwether  public  companies 
saw  their  evaluations  stay  flat  or 
decline  in  2005:  AT&T  (formed 
by  the  merger  of  AT&T  and  the 
former  SBC)  and  Cisco  both 
stayed  flat. 

Nortel  rose  slightly  on  the 
news  of  its  new  CEO  but  other¬ 
wise  was  mostly  flat.Verizon  and 
Juniper  actually  dropped  by 
about  10%. 

So  if  the  growth  didn’t  come 
from  the  bellwethers,  where  did  it 
come  from?  In  a  nutshell,  al¬ 
ternative  players,  particularly 
those  focusing  on  the  critical 
areas  of  VolR  security,  manage¬ 
ment  and  managed  services.  En¬ 
terprises  are  serious  about  these 


areas,  and  they’re  willing  to  spend 
money  on  alternative  providers 
that  can  meet  their  needs.  For 
example,  75%  of  the  companies  1 
work  with  said  they  were  working 
with,  or  willing  to  consider,  sec¬ 
ond-tier  carriers. 

Several  private  firms  experi¬ 
enced  a  banner  year  in  2005,  in¬ 
cluding  ShoreTel  Communica¬ 
tions,  Brix,  Masergy  Communica¬ 
tions  and  Megapath.  Among  pub¬ 
lic  alternative  companies. 
Foundry  rebounded  nicely  in  the 
second  half  of  2005,  ending  the 
year  up  27%. 

Bottom  line:  A  solid  hit. 

2005  prediction:  Wireless  broad¬ 
band  emerges. 

Check.  For  just  the  most  obvi¬ 
ous  example,  Verizon  and  Sprint 
have  made  significant  invest¬ 
ments  in  EV-DO,  and  HP  and 


Lenovo  recently  announced  EV- 
DO-enabled  laptops  and  note¬ 
books.  Stay  tuned.  This  segment 
gets  bigger  still. 

2005  prediction:  MCI  goes  out 
of  business. 

OK,  not  really. . .  .While  1  believe 
MCI  will  survive  the  year  in  some 
form  or  other,  its  long-term 
prospects  are  bleak. 

As  we  saw,  MCI  became  part  of 
Verizon  at  the  end  of  2005.  Ad¬ 
mittedly,  1  didn’t  predict  the  SBC- 
AT&T  deal  —  but  it’s  worth  noting 
the  SBC-AT&T  relationship  has 
functioned  more  like  a  merger 
than  a  takeover. 

2005  prediction:  The  FCC  gets 
serious  about  regulating  “Inter¬ 
net  dial  tone”  (arrghl). 

Once  again,  a  winner  —  the 
FCC’s  E-91 1  regulations  hit  in  late 
2005,  and  as  noted  in  last  week’s 


column,  they’ve  finally  awak¬ 
ened  to  the  21st  century  (not 
that  it’s  a  good  thing). 

2005  prediction:  Convergence 
gets  bigger. 

Last  year,  for  the  first  time  ever, 
enterprises  I  worked  with  reported 
that  the  primary  reason  for  in¬ 
vesting  in  VoIP  was  “to  future 
proof  networks”  —  the  first  time 
that  business  driver  topped  “cost 
savings”  as  a  goal.  This  year  we’ll 
see  the  emergence  of  VoIP-based 
collaborative  applications. 

Five  for  five.  Then  again,  even  a 
stopped  clock  is  right  twice  a  day 

Johnson  is  president  and 
senior  founding  partner  at  Ne- 
mertes  Research,  an  independent 
technology  research  firm.  She 
can  be  reached  at  johna 
@nemertes.com. 


FDA 

continued  from  page  29 

recent  years,  the  FDA  has  consolidated  all 
IT  under  the  CIO’s  office. 

“Whatever  we  did  at  White  Oak,  we  were 
not  building  eight  data  centers,”  Rogers 
says.  “We  knew  we  would  have  one  data 
center  and  that  we  would  have  to  realign 
our  business  practices  and  tech  staff  to  sup¬ 
port  technology  across  the  campus.  The 
main  purpose  of  the  campus  is  to  foster  col¬ 
laboration  so  that  the  agency  can  work 
more  efficiently’ 

After  research  and  a  pilot  project,  the  FDA 
decided  that  VoIP  would  be  ready  for  a 
production  rollout  in  2005,  when  the  first 
buildings  at  the  White  Oak  Campus  were 
due  for  completion. 

The  FDA  issued  an  RFP  for  the  campus 
network  in  2002.  Four  companies  bid,  and 
the  FDA  chose  Verizon,  which  partnered 
with  Apptis  and  Batelle  to  offer  a  Cisco  VoIP 
network. 

“Verizon  was  able  to  bring  to  bear  its 
experti.se  in  the  infrastructure,  as  far  as 
LANs,  WANs  and  connectivity  coming  in 
from  the  local  exchange  carries,”  Rogers 
says.“They  could  provide  a  really  good  pic¬ 
ture  about  the  end-to^nd  solution.” 

The  FDA  White  Oak  Campus  is  Verizon’s 
largest  VoIP  project  in  the  federal 
government. 

The  FDA  “is  one  of  the  few  customers  that 
has  actually  committed  to  the  technology 
at  this  scale,”  .says  Daniel  Felder,  vice  presi¬ 
dent  of  federal  civilian  sales  for  Verizon 
Enterprise  Solutions  Group.  “It’s  relatively 
e<isy  to  do  the  integration  in  small  pockets 
of  20  or  40  or  50  people.  But  it’s  the  FDAs 
commitment  to  VoIP  for  everyone  that 
stands  out.” 


The  VoIP  system  includes  Cisco  call  man¬ 
agers,  switches,  handsets,  conference  room 
phones  and  monitoring  tooIs.The  all-Cisco 
approach  was  attractive  to  the  agency 
because  it  was  already  standardized  on 
Cisco  equipment  across  its  250-plus  sites 
worldwide. 

“We  didn’t  want  to  bridge  two  different 
technologies,”  Rogers  says.  “Whatever  ven¬ 
dor  we  chose,  we  wanted  a  true  end-to-end 
solution,  from  handsets  to  IP  softswitches  to 
IP  [public  switched  telephone  network].” 

The  FDA  is  not  using  VoIP  services  from  its 
long-distance  provider,  MCI.  The  agency 


uses  VoIP  only  for  local  calls  on  its  White 
Oak  Campus. 

Rogers  says  that  VoIP  was  not  more 
expensive  than  building  separate  data  and 
voice  networks  on  the  new  campus.  The 
ROI  for  the  VoIP  deployment  was  in  cutting 
the  costs  of  moving  employees  from  one 
location  to  another. 

“When  we  looked  at  the  cost  to  do  adds, 
changes  and  deletes  from  the  system,  the 
agency  was  spending  $50  per  person  on 
that  piece  of  it,”  Rogers  says.“With  VoiPa  per¬ 
son  can  move  across  the  campus  for  free 
and  just  take  their  PC  with  them.  With  a  tra¬ 
ditional  phone  system,  we  would  have  to 
place  an  order  with  the  local  carrier  to 
have  a  phone  number  moved  or  estab¬ 
lished,  which  was  a  four-  to  six-week 


process.  Just  from  that  perspective,  we  saw 
savings.” 

The  FDA  moved  2,000  employees  from  its 
Center  for  Drugs  into  four  new  buildings  at 
White  Oak  last  fall  and  says  it  has  already 
saved  money  with  its  new  VoIP  system.The 
Center  for  Drugs  has  had  three  reorganiza¬ 
tions  in  recent  months,  with  hundreds  of 
people  moving  to  different  offices. The  new 
VoIP  system  has  handled  these  changes 
with  ease. 

“Because  we’re  a  regulatory  agency  in  the 
health  sector,  we  regularly  have  new  initia¬ 
tives  that  cause  the  agency  to  have  to  create 


a  new  organization  with  staff  and  move 
people  around,”  Rogers  says. “With  VoIRwe 
essentially  become  our  own  phone  com¬ 
pany  and  that  in  itself  provides  a  lot  of  flex¬ 
ibility  We  can  customize  or  add  new  call 
groups.  We  have  a  lot  more  functionality  to 
do  that,  and  we  can  do  it  in-house  without 
having  to  work  with  a  local  carrier? 

The  FDA  sees  many  other  advantages  to 
its  new  network  infrastructure  at  the  White 
Oak  Campus,  including  tighter  security  and 
new  features. 

“We  have  a  lot  more  control  over  the 
ports,”  Rogers  says.  “We  have  a  lot  more 
ability  to  lock  down  the  network  from  a 
security  point  of  view.  We  really  wanted  to 
ensure  that  we  had  a  lot  more  management 
capabilities  than  we  had  with  the  legacy 


infrastructure.” 

In  terms  of  features,  the  White  Oak 
Campus  network  lets  employees  have  an  IP 
softphone  installed  on  their  laptops,  so  that 
they  can  receive  calls  while  on  the  road  or 
working  from  home.  The  network  also  sup¬ 
ports  videoconferencing  in  special  rooms 
and  at  the  desktop. 

“We  have  40  conference  rooms  in  the 
buildings,  and  they  are  constantly  booked,” 
Rogers  says.  “So  people  can  do  videocon¬ 
ferencing  on  the  desktop.  We  provide  video 
on  demand  to  the  desktop  so  people  can 
do  training,  too.” 

Rogers  says  the  biggest  challenge  in 
designing  the  White  Oak  Campus  network 
was  ensuring  redundancy.  He  says  the 
agency  was  concerned  about  losing  voice 
communications  in  the  case  of  an  IP  net¬ 
work  outage. 

“We  built  in  custom  redirects,  so  that  if 
VoIP  has  issues,  we  can  redirect  to  cell 
phones  or  another  phone  number  at  the 
choice  of  the  user;”  Rogers  says. “We  placed 
analog  phones  in  key  common  areas  so  if 
we  did  lose  VoIP  we  still  had  analog  ser¬ 
vices  for  emergency  purposes.” 

To  ensure  redundancy,  the  FDA  purchases 
voice  services  from  two  local  exchange 
carriers,  and  it  provides  redundant  and 
uninterrupted  power  supplies  in  its  wiring 
closets. 

The  FDA  is  pleased  with  the  performance 
of  its  new  VoIP  system,  which  performed 
well  recently  when  a  backhoe  took  out  a 
trunk  on  the  new  network. 

“We  could  have  had  a  major  outage,” 
Rogers  says.“But  we  built  a  self-healing  net¬ 
work,  so  our  users  never  noticed.  We  had 
that  repaired  in  two  weeks,  but  the  users 
never  knew  we  lost  a  major  part  of  our 
fiber-optic  ring  on  campus.”  ■ 


had  to  be  state  of  the  art,  but  not 
cutting  edge  or  bleeding  edge.  It  had 
to  be  something  that  would  carry  us 
for  20  to  25  years. W 


Glenn  Rogers,  Deputy  CIO,  FDA 
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■  AN  INSIDE  LOOK  AT  TECHNOLOGIES  AND  STANDARDS 


AJAX  accelerates  Web  applications 

BY  ALEXEI  WHITE  between  the  client  and  the  server. 


HOW  IT  WORKS:  AJAX 


The  AJAX  model  uses  asynchronous  communication  to  perform  targeted,  or 
micro-updates  on  application  data. 
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The  Web  browser  requests  a  piece  of  information 
from  the  server  using  an  AJAX  call.  The  browser 
then  uses  this  micro-update  to  change  some 
aspects  of  the  Web  page  already  in  memory  — 
much  like  a  desktop  application  would. 
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Micro-update 

Q  A  user  requests  a  Webjite  in  his  browser. 

B  A  Web  server  returns  the  entire  page  with  JavaScript  code  embedded  in  it. 

B  JavaScript  code  embedded  in  the  Web  page  performs  an  AJAX  request,  loading  new  data  from  the 
server  in  real  time. 


As  IT  increases  its  dependence  on  Web- 
based  systems  to  deliver  business  applica¬ 
tions,  it  sacrifices  end-user  productivity  and 
real-time  updating  of  information.  Web 
browsers  have  always  been  good  at  deliver¬ 
ing  software  to  remote  users  inexpensively 
but  they  haven’t  offered  the  rich-client  func¬ 
tionality  of  desktop  applications. 

Enter  AJAX  (Asynchronous  JavaScript 
and  XML),  a  Web  development  technique 
that  uses  tools  built  into  most  Web 
browsers  that  enable  rich-client  interactiv¬ 
ity  and  real-time  data  micro-updates,  or 
incremental  updates,  without  the  need  for 
proprietary  plug-ins.  AJAX  consists  of  three 
building  blocks:  JavaScript  (or  ECMA 
Script)  for  computation.  Dynamic  HTML 
for  presentation  and  XML  HTTP  for  client/¬ 
server  communication. 

The  key  component  of  AJAX  is  XML 
HTTP  which  allows  a  Web  page  to  com¬ 
municate  quickly  with  a  server  after  it  has 
been  downloaded  to  a  client  browser.This 
is  a  dramatic  departure  from  the  tradi¬ 
tional  page-based  model,  which  requires 
that  an  entire  Web  page  be  reloaded  for 
the  information  to  be  communicated 


Got  great  ideas? 


■  Network  World  \s  looking  for  great  ideas 
for  future  Tech  Updates.  If  you've  got  one, 
and  want  to  contribute  it  to  a  future  issue, 
contact  Senior  Managing  Editor.  Features  Any 

Schurr  (aschuiT@iiww.com). 


While  seemingly  simplistic,  AJAX  opens 
doors  for  Web-application  developers  that 
had  previously  been  shut.  It  relies  on  noth¬ 
ing  but  the  built-in  browser  internals.  No 
extra  software  needs  to  be  distributed  to 
users,  making  AJAX  an  attractive  option  for 
companies  that  are  concerned  about  the 
security  and  logistical  implications  of  dis¬ 
tributing  installed  software  to  users. 

The  traditional  Web-application  architec¬ 
ture  (sometimes  referred  to  as  the  postback 
model)  is  inefficient  because  it  wastes 
communications  bandwidth.  Every  hyper¬ 
link  activation  or  button-press  results  in  a 
postback  (or  reload)  of  an  entire  Web  page, 
when  perhaps  all  that  was  required  was  a 
tiny  block  of  text  from  the  database.  AJAX 
solves  this  problem  with  XML  HTTP 

Using  XML  HTTP  and  JavaScript,  a  devel¬ 
oper  can  make  an  asynchronous  request 
for  a  block  of  information  from  a  server 
without  needing  to  reload  an  entire  page. 
The  result  is  Web  applications  that  react 
more  quickly  to  user  interaction. 

For  example,  a  user  might  want  to  see  the 
details  about  a  customer  in  a  Web  page.  In 
a  traditional  Web  application,  the  user 
might  have  to  click  and  wait  for  the  entire 
page  to  refresh  before  seeing  those  details. 
In  an  AJAX  model,  the  user  could  click  on 
the  customer’s  name  and  have  the  data 
retrieved  instantly  from  the  server,  then  dis¬ 
played  directly  on  the  Web  page. 

XML  HTTP  also  addresses  the  data  timeli¬ 
ness  problem  of  traditional  page-based 
application  models.  As  soon  as  a  Web  page 
containing  some  data  is  downloaded  to  the 
browser,  it  is  considered  “stale,”  or  out  of 
date. The  browser  has  no  idea  whether  that 


data  on  the  server  has  changed  or  is  still 
accurate.  This  is  a  concern  especially  if  a 
Web  application  has  many  concurrent 
users.  Using  AJAX,  it’s  possible  to  check  that 
data  is  current  before  a  user  needs  it. 

All  major  browser  platforms  now  sup¬ 
port  AJAX,  including  Internet  Explorer, 
Mozilla  FireFox,  Netscape,  Opera  and 
Safari.  There’s  also  a  move  toward  stan¬ 
dardization  of  XML  HTTpthe  core  compo¬ 
nent  of  AJAX.  Last  year  the  World  Wide 
Web  Consortium  formed  a  Web  API  work¬ 
ing  group  to  develop  a  specification  for 
HTTP  functionality  (which  covers,  in  part, 
AJAX)  .This  is  happening  now  in  large  part 
because  of  overwhelming  response  from 
the  IT  community  in  support  of  AJAX. 

Performing  targeted  information  updates. 


or  micro-updates,  can  substantially  reduce 
network  loads,  in  addition  to  faster  interac¬ 
tion  with  live  data.  Benefits  can  be  mea¬ 
sured  through  total  bytes  transferred,  total 
download  time  and  steps/seconds  to  com¬ 
plete  a  task. 

The  increasing  relevance  of  AJAX  is  most 
obvious  when  looking  at  high-profile  offer¬ 
ings,  such  as  Google  Maps  and 
Salesforce.com,  but  what  isn’t  obvious  is 
that  it’s  quietly  making  inroads  in  large  and 
small  companies.  Its  rapid  adoption  signals 
a  shift  in  the  way  enterprises  will  build  and 
deliver  future  Web  applications. 

White  is  a  product  manager  for  eBusiness 
Applications  Ltd.  He  can  be  reached  at 
awhite@ebusinessapplications.ca. 


Ask  Dr.  Internet  By  Steve  Blass 

> 


I  have  an  Apache  server  running  a  number  of 
named  virtual  hosts  that  I  want  to  use  SSL  with. 
Apache  doesn’t  support  named  virtual  hosts  in 
the  SSL  configuration  file,  because  of  the  way 
the  protocols  work.  I  need  to  route  requests  by 
hostname  using  SSL  How  can  I  do  that? 

Apache  cannot  support  named  virtual  hosts  in  SSL 
host  configuration  files,  because  it  cannot  see  the  host- 
name  header  when  the  SSL  request  is  being  processed. 
You  can  use  a  directory-level  configuration  file,  typically 


called  .htaccess,  to  redirect  the  request,  because  the 
host  name  information  is  available  at  that  later  point  in 
the  processing.  To  do  this,  include  the  line 
“AllowOverride  Options  Fileinfo  AuthConfig"  in  the  gen¬ 
eral  configuration  section  of  the  apache  httpd.conf  serv 
er  configuration  file.  This  allows  you  to  use  the  Apache 
URL  rewriting  engine  from  a  directory- level  configura¬ 
tion  file.  In  the  directory  defined  as  DocumentRoot  in 
the  <VirtualHost_default:443>  section  of  the  Apache 
SSL  configuration  file,  create  an  .htaccess  file  contain¬ 
ing  three  lines:  “RewriteEngine  On"  followed  by 


"RewriteCond  %{REOUEST_FILENAME} 
and  “RewriteRule  "’(.*)$  http://%{HTTP_HOST}:80/$1 
[P]”.This  will  send  the  decrypted  SSL  request  to  the 
host  named  in  the  http  headers  by  proxy  so  that  your 
users  see  only  the  https  URLs.  Depending  on  how  your 
sites  are  named,  users  may  see  security  warnings  that 
your  SSL  certificate  does  not  match  the  hostname. 

Blass  is  a  network  architect  at  Change@Work  in 
Houston.  He  can  be  reached  at  dr.internet@changeat- 
work.com. 
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DSL  techs  and  favorite  tools 


If  you  have  followed  our  travails 
with  our  DSL  connection,  we  have 
an  update  for  you:  We  asked  for  a 
technician  to  come  and  check  out 
the  DSL  line,  and  last  week  an  SBC 
DSL  engineer, Todd  370,  showed  up. 

But  before  we  fill  you  in  on  what  he 
found,  we  must  digress  to  share  a  few 
tips  about  how  to  deal  with  SBC  DSL 
support.  To  get  to  knowledgeable 
support  people  in  double-quick 
time,  hit  in  answer  to  every  ques¬ 
tion  in  the  SBC  interactive  voice 
response  (IVR)  system.  This  annoys  the  IVR  system  and  it 
will  give  up  quite  quickly  and  route  you  straight  to  first-level 
support. 

SBC’s  first-level  support  is  utterly  useless  unless  you  are  a 
complete  newbie  with  nothing  more  complicated  than  a 
basic  PC  hanging  off  the  DSL  modem,so  you  should  imme¬ 
diately  demand  second-level  support.  Do  not  get  wimpy 
here  —  insist  on  being  transferred. 

The  first-level  tech  will  ask  you  for  information  that  won’t 
be  passed  on  to  the  second  level,  and  so  far  we  have  found 
no  way  to  avoid  this  step.  Even  so,  this  strategy  will  reduce 
the  time  it  takes  to  get  to  second-level  support  to  around 
eight  minutes. 

Anyway,  back  to  Todd  370.  He  turned  up,  took  a  look  with 
his  DSL  test  gear  and  concluded  that  something  was 
degrading  the  signal  on  our  side  of  the  demarc.  Our  DSL 


setup  was  delivered  with  three  or  four  Z-filters  (in-line  high- 
frequency  filters)  to  filter  out  the  DSL  carrier,  and  so  we 
installed  them  on  each  phone  on  that  circuit. 

T'kpparently  there  is  voodoo  involved,  because  this  really 
was  at  least  part  of  our  problem.Todd  370  installed  (for  the 
princely  sum  of  $35)  an  industrial  grade  Z-filter  next  to 
the  demarc  and  tightened  all  of  the  connections  (appar- 
entlyslightly  loose  terminal  screws  can  cause  serious  prob- 

What  we  wonder  about  is  the 
maintainability  of  this 
technology. 

lems),  and  when  he  retested  the  connection,  its  perform¬ 
ance  was  significantly  better.  So  far,  so  good. 

(But  how  is  a  consumer  supposed  to  know  any  of  this? 
There  are  no  instructions  we  can  find  on  the  SBC  site 
regarding  the  placement  of  Z-filters,  and  you  know  the 
telephone  support  techs  are  clueless  on  the  topic.) 

Then  we  went  inside  and  ran  some  Pingplotter  traces  and 
found  errors  were  still  appearing.  On  the  first  hop  the  la¬ 
tency  was  periodically  jumping  from  10  millisec  to  1.5  sec¬ 
onds  or  more,  and  the  jitter  was  increasing  from  0.4  millisec 
to  around  400  millisec!  Todd  370  suggested  the  problem 
might  be  the  DSL  modem  so  we  installed  a  new  one,  but 
nope,  the  errors  were  still  there. 

So  now  we  wait  for  a  visit  from  another  engineer  who  spe¬ 
cializes  in  wiring  and  who  will,  so  we  understand,  check 


the  cabling  from  the  demarc  to  the  pole  and  then  to 
whence  it  comes  —  presumably  all  the  way  back  to  the 
DSL  access  module. 

What  we  wonder  about  is  the  maintainability  of  this  tech¬ 
nology  If  Ethernet  were  this  complex,  unreliable  and  hard 
to  diagnose,  local  area  networking  would  still  be  in  the 
dark  ages  of  ProNet  and  Token  Ring. 

We’re  supposed  to  be  wiring  the  country  creating  a  broad¬ 
band-connected  culture  to  gain  the  benefits  of  an  ahvays- 
on,  always-connected,  high-speed  communications  infra¬ 
structure,  but  it  appears  we’re  still  in  the  sacrificing-a- 
chicken-before-we-turn-it-on  stage. 

More  after  the  cabling  wizard  puts  in  an  appearance. 

As  we  don’t  have  a  lot  more  space,  we’ll  conclude  this  col¬ 
umn  with  a  request  for  your  favorite  tools  and  utilities.  We 
just  had  to  rebuild  a  PC  that  had  creeping  Winrot,  and  we 
found  ourselves  reinstalling  certain  tools  that  we  knew  we 
couldn’t  live  without. 

For  example.  Process  Explorer  from  Sysintemals.a  serious 
replacement  for  the  Windows  Task  Manager,  and  Irfanview, 
an  amazing  file  viewer  and  player  that  can  understand  and 
display  a  remarkable  number  of  formats  (see  www.net 
workworld.com,  DocFmder:  1745).  And  how  would  we  get 
anything  done  without  Vim  for  editing  files,  and  the  com¬ 
mand-line  wget  (DocFmder:  1746)  or  the  GUI-based 
FileZilla  (DocFmder:  1747)  to  get  files? 

So,  what’s  in  your  tool  chest?  Inventories  to 
gearhead@gibbs.  com. 


A 

6EARHEAD 

INSIDE  THE 
NETWORK 
MACHINE 

Mark  Gibbs 


The  scoop:  Wireless  Music  System  for  PC,  about  $150,  from 
Logitech 

What  it  is:  The  Wireless  Music  System  is  a  USB  transmitter 
and  Bluetooth  receiver  that  lets  you  listen  to  music  stored  on  a  PC  and 
stream  it  to  any  stereo  system  within  a  330-foot  radius  of  the  transmit¬ 
ter.  The  system  includes  a  remote  control  that  lets  you  change  songs  or 
change  the  volume  without  having  to  run  back  to  the  original  PC.  A 
docking  station  for  the  USB  transmitter  lets  you  connect  to  a  desktop 
PC,  or  you  can  detach  that  and  use  the  transmitter  with  a  notebook 

PC.  The  transmitter 

Listen  to  your  iTunes  through  any  connects  to  the  PC 

stereo  system  with  the  Logitech  A  .  .  .  . 

Wireless  Music  System.  ■ 

songs  via  USB,  and 
the  receiver  con¬ 
nects  to  a  stereo 
system  via  compos¬ 
ite  audio  cables 
(you  also  can  con¬ 
nect  to  a  portable 
speaker  system  via  a 
stereo  headphone 
jack,  but  you’ll  need 
to  buy  a  separate 
cable). 

Why  it’s  cool:  If  you’ve 
taken  a  lot  of  time  to  transfer 
your  CDs  into  MP3  format,  or  if  you’ve 


caught  the  wave  of  the  99-cent  song  download  from  iTunes,  you  have  a  lot  of 
songs  on  a  PC  but  can  only  play  them  on  that  PC  (or  your  iPod).  Playing  the 
songs  on  a  better  stereo  system  becomes  difficult,  especially  if  you  want  to 
play  a  specific  playlist  that  you’ve  built.  Existing  products  intended  to  let  you 
listen  to  music  stored  on  a  PC  on  a  separate  stereo  system  require  a  networked 
media  player  or  other  device  that  connects  via  wired  Ethernet  or  wireless 
(802.1  Ib/g)  network.  Since  the  system  is  basically  acting  like  an  extended  set 
of  speakers  and  it  runs  over  Bluetooth,  you  don’t  have  to  do  any  wireless  con¬ 
figurations  (especially  security). 

A  bonus  of  the  Logitech  Wireless  Music  System  is  that  it  will  play  any  of  your 
purchased  iTunes  Music  Store  songs  (or  other  DRM-purchased  songs)  on  the 
stereo  system.  Another  advantage:  If  you’ve  been  using  iTunes  to  listen  to 
Internet  radio,  you  can  stream  the  feed  from  your  PC  to  the  stereo  system. 

The  Logitech  system  also  is  scalable;  additional  receivers  (priced  at  $80  each) 
can  be  connected  to  other  stereo  systems  in  your  house.The  USB  transmitter  can 
support  as  many  as  16  receivers.  Included  software  lets  you  control  what  room 
and  receiver  the  music  plays  in  (although  if  you  get  to  this  point,  you  might  just 
want  to  invest  in  a  multiple-room  system  such  as  the  Sonos  Digital  Music 
System). 

Some  caveats:  The  $150  price  tag  seems  a  bit  high  when  you  consider  it’s 
about  the  same  as  similar  networked  media  players  that  also  let  you  view  pho¬ 
tos  or  movies  over  a  regular  network.  Still,  an  uncomplicated  setup  and  con¬ 
figuration  makes  it  worth  the  cost.  The  Bluetooth  system  also  may  interfere 
with  any  existing  2.4-GHz  networks,  but  there  is  a  button  on  the  back  of  the 
receiver  that  lets  you  switch  between  a  variable  frequency  range  to  one  that’s 
fixed. 

Grade:  ★★★★  (out  of  five) 

Shaw  can  be  reached  at  kshaw@nww.com.  Check  out  a  new  Cool  Tools  Video 
Show  (including  a  demonstration  of  the  Logitech  Wireless  Music  System)  every 
Thursday  at  www.networkworld.com/video. 


“SUNGARD  REHEARSED  SCENARIOS 


WITH  US  A  COUPLE  OF  TIMES  A 


YEAR.  SO  WHEN  KATRINA  HIT, 


I  KNEW  OUR  DISASTER  RECOVERY 


PLAN  WOULD  WORK.” 


Harold  Aucoin,  COO 
Gilsbar,  Inc. 


When  it  comes  to  being 
prepared  for  unplanned  IT 
interruptions,  you  need  to 
know  your  systems  are  either  always 
available  or  can  be  quickly  recovered. 
That’s  where  SunGard’s  Information 
Availability  solutions  can  help.  We 
deliver  the  secure  data,  systems, 
networks  and  support  you  require  to 
help  your  business  stay  in  business. 
Because  your  employees,  suppliers 
and  customers  rely  on  you  to  be 
available  every  minute  of  every  day, 
you  need  continuous  access  to 
information  no  matter  what  —  you 
need  Information  Availability. 

For  over  25  years,  businesses  have 
turned  to  SunGard  to  restore  their 
systems  when  something  went 
wrong.  So,  it’s  not  surprising  that 
they  now  turn  to  us  to  give  them 
options  to  make  sure  they  never  go 
down  in  the  first  place.  Plus, 
SunGard  offers  solutions  that  let 
you  remain  in  control  of  your  IT 
environment  and  enjoy  the  flexibility 
required  to  adjust  to  the  changing 
needs  of  your  business. 


SunGard  has  a  wide  range  of  solutions  ranging  from  recovery  to  redundancy  that  address  your  enterprise-wide  requirements. 
Here  are  just  a  few  of  those  solutions: 

System  Recovery,  Mobile  Recovery,  Network  Recovery  and  End-User  Recovery  Services  help  you  get  back  up  quickly 
when  disaster  strikes.  And  when  combined  with  our  Server  Replication  and  Vaulting  for  Distributed  Systems  services, 
you  can  reduce  downtime  and  your  costs  by  25%*. 


Server  Replication.  If  your  server  is  unavailable,  for  whatever  reason,  you  can  have  a  fast  and  easy  recovery  of  your 
Microsoft®  Windows®-based  applications  from  the  replicated  servers  located  at  a  SunGard  facility.  When  your 
applications,  such  as  databases,  e-mail,  and  file  servers,  need  to  be  recovered  in  less  than  24  hours.  Server 
Replication  gives  you  data  center  redundancy  without  the  high  cost  of  building  your  own  secondary  facility. 


Vaulting  for  Distributed  Systems  provides  customers  with  an  automated  and  secure  process  for  critical  data  backup. 
Vaulted  data  is  available  for  easy  recovery  of  production  files.  The  logistics  and  time  needed  for  restoring  data  to 
backup  systems,  whether  for  testing  or  recovery,  are  greatly  improved. 


Your  job  is  to  keep  systems  and  applications  running.  Our 
mission  is  to  keep  people  and  information  connected.  Let’s  work 
together.  To  learn  more,  contact  us  at  1-800-468-7483  or  go  to 
www.avaiiability.sungard.com/masteria  and  get  your  free  copy  of 
the  book  "Mastering  Information  Availability." 

*25%  figure  based  on  the  IOC  White  Paper,  “Ensuring  Information  Availability:  Aligning  Customer 
Needs  with  an  Optimal  Investment  Strategy."  Actual  savings  may  vaiy  depending  on  services  selected. 


SUNGARD 

Availability  Services 


Keeping  People 
and  Infonnation 
Connected'.^' 
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John  Dix*^ 

Soft  tokens  at  the 
new  Interop  show 

The  first  East  Coast  Interop  since  2002  bowed  in  in  New 
York  just  before  Christmas, and  while  small  by  Interop 
standards,  was  focused  and  decently  attended. 

The  show  featured  about  100  vendors  vs.  the  270  that 
showed  up  in  Las  Vegas  last  May  but  was  conspicuously  miss¬ 
ing  the  support  of  longtime  backers  Cisco  and  Microsoft. 
Anchoring  the  show  floor  were  Foundry  and  AT&T,  with 
other  large  booths  taken  by  APC,  CA,  Extreme  and  HP 
Vendors  expressed  mixed  reactions  about  attendance  lev¬ 
els;  some  were  pleased  to  see  buyers  from  big  local  compa¬ 
nies,  while  others  said  attendance  was  too  light.There  were, 
however,  many  interesting  technologies  on  display 
One  company  on  the  show  floor  that  was  telling  an  inter¬ 
esting  story  was  Diversinet,  which  was  talking  up  its  software- 
based  two-factor  authentication  technology. 

A  core  rap  against  two-factor  authentication  based  on 
hardware  tokens  is  the  cost  of  deployment  and  manage¬ 
ment,  which  puts  it  out  of  range  of  any  company  looking 
to  use  the  technology  to  secure  communications  with 
consumers. 

Diversinet’s  MobiSecure  soft  tokens,  on  the  other  hand,  are 
generated  by  a  small  application  that  can  be  deployed  to 
cell  phones,  PDAs  or  even  Windows-based  PCs,  says  Wally 
Kowal,vice  president  of  marketing. 

In  use,  the  MobiSecure  tokens  are  employed  the  same  way 
as  hard  tokens.  When  users  log  on  they  are  asked  for  a  pass¬ 
word  and  the  code  generated  by  their  token  (the  second  fac¬ 
tor). The  algorithm  on  the  user’s  device  creates  the  one-time 
code  by  combining  a  secret  client  credential  (loaded  during 
provisioning)  with  a  sequential  counter. The  validation  server 
knows  the  credential  and  sequence  for  that  given  client  and, 
if  it  generates  the  same  code,  grants  access. 

After  the  session  ends,  the  sequence  number  is  incre¬ 
mented  so  that  code  can  never  be  used  again,  Kowal  says. 
The  .sequencing  is  the  primary  difference  between  Mobi¬ 
Secure  and  hard  tokens  from  companies  such  as  RSA 
Security,  which  keep  the  validation  server  and  tokens  in 
sync  at  all  times. 

Diversinet’s  technology  is  compliant  with  the  reference 
architecture  for  strong  authentication  from  the  Initiative  for 
Open  Autfientication  (OATH).  Launched  in  2004,  OATH  (see 
www.openauthentication.org)  is  backed  by  companies  in¬ 
cluding  IBM  Tivoli,VeriSign  and  Citrix. 

Although  they  might  not  be  as  secure  as  hardware  tech¬ 
nologies,  the  market  for  soft  tokens  such  as  MobiSecure  has 
to  be  much  larger. This  is  interesting  stuff  that  we  can  expect 
to  hear  more  about  when  Fall  Interop  arrives  back  in  New 
Yc-rk  on  Sept.  18. 


—  John  Dix 
Editor  in  chief 
jdix@nww.com 


CP80  not  censorship 

Regarding  Mark  Gibbs’  BackSpin  column  “Putting  lip¬ 
stick  on  the  Internet  porno-pig”  (www.networkworld. 
com,  DocFinder:  1734):  I  don’t  understand  Gibbs’ 
problem  with  the  CP80  initiative.  CP80  isn’t  suggest¬ 
ing  banning  any  content  from  the  Internet;  it  is  an 
innovative  proposal  to  create  a  way  to  filter  content. 
Simple  firewall  configuration  would  allow  you  to 
make  sure  that  questionable  Web  sites  can’t  be  ac¬ 
cessed  by  your  child  or  at  your  company  The  main 
problem  I  can  see  would  be  compliance.  Everything 
is  already  on  Fbrt  80  —  how  hard  would  it  be  to  sef)- 
arate  all  of  the  questionable  content  out  now?  Ffer- 
haps  a  revision  is  needed,such  as  marking  a  different 
port  as  clean  and  only  letting  approved  content  use 
that  channel.  But  1  don’t  see  how  censorship  would 
be  the  major  drawback,  since  it’s  entirely  up  to  the 
user  whether  or  not  to  block  other  ports. 

Steve  Pritchard 
Clarence,  N.Y 

Misnomer 

Christopher  Sloop’s  defense  of  WeatherBug  (Doc- 
Finder:  1 737)  is  well  written  and  certainly  serves  to 
dispel  some  common  myths  about  what  the  product 
does  in  the  background.  However,  I  think  the  percep¬ 
tion  of  WeatherBug  is  not  helped  by  its  moniker:  Most 
IT  professionals  will  be  loath  to  install  any  software 
product  that  has  “bug”  in  its  name. 

Paul  Lourd 
Greenwich,  Conn. 

Wowed  by  wikis 

Regarding  your  feature  “The  wild  world  of  wikis. 
Weblogs,  podcasts  and  RSS”  (DocFinder:  1735): 
Wikipedia  is  not  the  original  wiki,  and  your  story 


creates  the  perception  that  big, public  examples  like 
Wikipedia  are  the  way  wikis  work.  Most  wiki  activity 
is  being  done  behind  enterprise  firewalls  or  on  per¬ 
sonal  server  networks  for  small,  independent 
groups.  I  recently  posted  my  thoughts  on  this  sub¬ 
ject  and  the  misperception  that  tech  media  and 
business  media  are  creating  when  it  comes  to  wikis 
(see  DocFinder:  1736). 

Kris  Olsen 
Consultant  and  blogger 
Cincinnati 

Delivery  not  bug-free 

In  “What’s  behind  on-demand  software’s  rise”  (Doc¬ 
Finder:  1738),  Ed  Barrett  of  CareRehab  states,“We 
don’t  want  to  invest  in  a  lot  of  software. We  have  in  the 
past  and  now  it  is  shelfware  because  it  did  not  work 
for  a  variety  of  reasons.”  I  presume  Barrett  thinks  if  he 
gets  software  over  the  wire  it  will  be  free  of  bugs  and 
work  as  advertised.  My  20  years  of  experience  tells 
me  he  is  shortsighted  at  best  and  naive  at  worst. 

The  delivery  medium  is  not  going  to  preclude  what 
network  administrators  have  known  for  years:  Soft¬ 
ware  vendors  routinely  sell  software  that  does  not 
work,  does  not  work  as  advertised  and  does  not 
work  within  critical  subroutines  of  the  software 
proper.  It  is  rushed  to  market  without  complete  test¬ 
ing,  and  the  end  user  is  the  one  who  will  end  up  on 
the  wrong  side  of  an  application  fault,  much  to  the 
chagrin  of  the  corporate  bottom-line  profitability. 
Software-as-a-service  will  only  allow  the  delivery  of 
this  abuse  at  wire  speed. 

Rocky  Habeeb 
Microsoft  systems  administrator 
James  WSewall  Co. 

Old  Town,  Maine 

E-mail  letters  to  jdix@nww.com  or  send  them  to  John  Dix,  editor  in 
chief,  Network  World,  1 1 8  Turnpike  Road,  Southborough,  MA  01772. 
Please  include  phone  number  and  address  for  verification. 
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USER  VIEW 
Chuck  Yoke 


Visit  the  IT  SPA  in  2006 


With  the  start  of  another  year,  many  IT  pro¬ 
fessionals  are  completing  their  training 
plans.  While  most  budgets  have  been  set, 
there  are  still  decisions  to  be  made  about  the 
specific  training  to  undertake.You  may  be  evalu¬ 
ating  a  variety  of  technical  training  courses  or 
industry  certification  options.  While  these  have 
value,  my  recommendation  is  to  add  a  trip  to  the 
IT  SPA  to  your  training  for  2006. 

“IT  SPA”  is  my  acronym  for  three  skills  that  are 
critical  in  the  IT  world  —  straddling,  planning 
and  analysis. 

In  the  past,  technical  skills  and  industry  certifi¬ 
cations  were  primary  factors  for  career  advance¬ 
ment  in  IT.  The  current  focus  on  utility  comput¬ 
ing,  outsourcing  and  offshoring,  however,  has 
begun  to  diminish  the  emphasis  on  engineering, 
programming  and  operations  skills,  which  many 
organizations  consider  to  be  commodity  items 
that  vendors  can  provide.The  value  of  IT  comes 
from  its  overall  business  value  rather  than  its 
technical  value.  Because  of  this,  internal  IT 
departments  are  becoming  more  business-fac¬ 
ing  and  customer-focused  than  ever  before.  Skills 
such  as  relationship  management  (straddling), 
project  management  (planning)  and  business 
analysis  (analysis)  are  fast  becoming  the  basis 


for  both  job  security  and  career  advancement. 

A  variety  of  third-party  vendors  can  run  your 
data  center  and  IT  operations,  but  relationship 
management  is  an  internal  skill  all  IT  depart¬ 
ments  need.  Relationship  managers  meet  with 
users  and  understand  their  business  needs  inti¬ 
mately  They  work  within  the  IT  organization  as  a 
customer  advocate,  and  concurrently  work  with¬ 
in  the  business  to  communicate  the  value  of  IT. 

A  dive  into  the  IT  SPA  can 
invigorate  your  career. 

With  one  foot  in  the  business  and  the  other  in 
technology  they  straddle  the  gap  between  the 
customer  and  IT. 

Network  and  systems  engineering  also  can  be 
outsourced  to  third  parties,  but  project  man¬ 
agement  is  needed  in-house.  Project  managers 
ensure  that  IT  projects  and  initiatives  are  com¬ 
pleted  on  schedule,  stay  within  budget  and 
meet  stated  requirements.  Knowledge  of  a 
company’s  financial  budgeting,  management 
and  reporting  processes  are  crucial  to  this  role, 
along  with  an  overall  knowledge  of  team  build¬ 
ing,  resource  management,  work  scheduling 


TEtECOMCATjU-YSI 
Daniel  Briere 


Moore's  Law,  Metcalfe’s  Law; 


Russ  McGuire  is  a  really  smart  guy  the  type  of 
guy  who  does  not  think  outside  the  box  but 
rather  about  what  the  box  should  look  like 
to  begin  with.  He  was  chief  strategy  officer  for 
TeleChoice  back  when  the  industry  could  sup¬ 
port  a  smart  guy  sitting  around  thinking  about 
where  the  telecom  market  was  going  to  go  next. 
Some  of  our  best  thinking  has  come  from  discus¬ 
sions  with  Russ,  who  is  now  deep  in 
Sprint/Nextel’s  strategy  organization. 

In  the  course  of  a  strategy  project  we  were  work¬ 
ing  on  recently  at  Sprint/Nextel,  we  heard  people 
talking  about  McGuire’s  Law  and  how  it  will 
impact  the  company’s  future  direction.  McGuire’s 
Law  is  rather  simple.When  you  speak  to  Russ,  he’ll 
talk  humbly  about  the  Law  of  Mobility  (it’s  his 
compatriots  that  speak  of  it  as  McGuire’s  Law). 
The  period  from  1985-1995  was  very  much  domi¬ 
nated  by  the  massive  impact  of  the  PC  on  busi¬ 
ness  —  driven  by  Moore’s  Law,  which  states  that 
computer  processing  power  doubles  every  18 
months  at  the  same  price  point.  The  period  from 
1995-2005  has  been  dominated  by  the  impact  of 
the  Internet  on  business  —  driven  by  Metcalfe’s 
Law,  which  states  that  the  value  of  any  network 
increases  exponentially  with  the  number  of  users. 

Recent  events  have  coalesced  to  bring  us  to  a 
third  period,  the  Age  of  Mobility  The  integration  of 
the  Centrino  chip  into  laptops  has  cemented  the 
move  to  Wi-Fi  everywhere.  Cell  phones  have  been 
taking  off  on  their  own  accord,spawning  products 
such  as  ringtones  and  fashion  accessories.  Until 
recently,  McGuire  notes  that  the  cost  of  taking  an 


object  and  having  it  talk  to  the  network  from  wher¬ 
ever  it  was  has  been  relatively  expensive.  Recent 
technological  changes  have  pushed  us  over  a  new 
threshold,  however,  and  now  the  value  of  adding 
mobility  to  any  product  outweighs  that  increased 
cost.That’s  the  tipping  point. 

So  we’re  now  in  the  Age  of  Mobility  governed  by 
the  Law  of  Mobility.  Thanks  to  cost  reductions  of 
Moore’s  Law,  scalability  resulting  from  Metcalfe’s 
Law,  convergence  and  miniaturization  of  devices 
and  increasing  ubiquity  of  3G  wireless  networks, 
the  cost  of  making  any  product  (especially  one 

Recent  events  have 
coalesced  to  bring  us  to 
a  third  period,  the  Age  of 
Mobility. 

involving  information)  available  all  the  time  is 
plummeting.Therefore,McGuire  concludes,just  as 
computing  power  and  the  Internet  have  been 
built  into  virtually  every  product,  mobility  is 
beginning  to  be  built  into  every  product. 

The  Law  of  Mobility  states  that  the  value  of  any 
product  or  service  increases  exponentially  with 
mobility  McGuire  points  to  the  TV  set.  If  one  were 
to  graph  price  vs.  display  size,  with  the  $3,500  42- 
inch  plasmas  at  one  end,  all  the  way  down  to  the 
5-inch,  black-and-white  handheld  AM/FM  units 
that  you  can  get  for  about  $30,  then  you’d  think 
that  a  2-inch  screen  on  your  cell  phone  would  be 


and  risk  management.  If  relationship  managers 
are  the  voice  of  the  customer,  the  project  man¬ 
ager  is  the  voice  of  the  business,  ensuring  that 
fiscal,  timeline  and  functionality  requirements 
are  met. 

Application  development  can  be  offshored, 
but  in-house  business-analysis  skills  are  critical 
in  making  sure  the  applications  perform  as 
needed.  Business  analysts  focus  on  business 
requirements.  They  meet  with  process  owners 
to  document  requirements,  translate  the 
requirements  into  specifications  the  applica¬ 
tion  development  groups  need  and  work  with 
development  teams  to  ensure  the  applications 
provide  the  needed  functionality.  They  are  the 
liaison  between  business  process  owners  and 
application  developers,  ensuring  that  usable 
and  productive  applications  are  developed. 

Just  as  a  trip  to  a  real  spa  is  meant  to  invigorate 
the  body,  mind  and  spirit,  a  dive  into  the  IT  SPA 
can  invigorate  your  career  and  provide  bigger 
challenges,  bigger  rewards  and  hopefully  bigger 
paychecks.  Take  time  to  visit  it  in  2006. 

Yoke  is  director  of  strategy  and  architecture  fora 
global  travel  and  real  estate  company.  He  can  be 
reached  at  ckyoke@yahoo.com. 


now  McGuire’s 

worth  about  $20.Yet  users  will  pay  far  in  excess  of 
this  —  including  monthly  and  even  per-show  fees 
—  to  be  able  to  squeeze  in  their  favorite  sitcom 
while  riding  home  on  the  subway 

The  key  to  the  measure  of  mobility  is  the 
increase  in  the  percent  of  time  the  product  is 
available  for  use.  A  smartphone  with  Windows 
Mobile  has  a  premium  that  approaches  the  cost 
of  a  desktop  computer  even  though  it  has  far  less 
screen  real  estate,  far  less  memory,  virtually  no 
disk  space  and  poor  excuses  for  Word,  Excel  and 
FbwerPoint,  but  it’s  with  you  100%  of  the  time. 

The  challenge  for  IT  is  to  figure  out  how  to  help 
your  firm  build  mobility  into  products  to  add 
exponential  value.  You  deployed  the  PCs  during 
the  Age  of  the  PC;  you  networked  everything  you 
could  during  the  Age  of  the  Internet.  Now,  during 
the  Age  of  Mobility  the  strategic  thinkers  are  ask¬ 
ing,  “What  are  you  doing  to  mobilize  your  prod¬ 
ucts  on  behalf  of  your  company?”  It’s  an  IT  man¬ 
ager’s  dream  world. 

More  than  anything  else,  what  I  like  about  the 
thinking  around  McGuire’s  Law  is  that  it  puts 
today’s  IT  challenges  into  a  framework  that  a 
board  of  directors  can  understand.  They  know 
Moore.  They  know  Metcalfe.  It’s  time  for  them  to 
meet  McGuire. You  can  check  out  his  thoughts  at 
www.networkworld.com,  DocFmder  1721. 

Briere  is  CEO  of  TeleChoice,  a  market  strategy 
consultancy  for  the  telecommunications  industry: 
He  can  be  reached  at  telecomcatalyst@tele 
choice.com. 


Feeding  the  need  for  speed 

With  Web  front-end  accelerators,  pick  one:  speed  or  scalability. 


BY  DAVID  NEWMAN,  NETWORK  WORLD  LAB  ALLIANCE 

Web  front-end  accelerators  use  a  grab  bag  of  techniques  to 
speed  delivery  of  content,  including  application-layer  switch¬ 
ing,  HTTP  compression  and  TCP  multiplexing. 


The  problem  is  that  Web  front-end  devices 
either  make  traffic  go  very  fast  for  a  limited 
number  of  users  or  handle  a  very  large  num¬ 
ber  of  users  —  but  they  can  run  into  trouble 
doing  both  at  the  same  time. 

That’s  the  major  conclusion  of  the  industry’s 
first  comprehensive  performance  tests  of  Web 
front-end  devices.  For  nearly  a  year,  we  bench- 
marked  devices  from  leading  vendors  Array 
Citrix,  Crescendo  Networks,  F5  Networks, 
Foundry  Networks  and  Juniper  Networks. 

Among  our  findings  in  this  inaugural  test: 

•  The  benefits  of  application  acceleration 
are  real.  Properly  implemented,  devices  can 
speed  delivery  of  content  to  users  while 
simultaneously  lightening  the  load  for  data¬ 
center  servers. 

•  HTTP  compression  doesn’t  always  reduce 
response  time,  and  can  increase  it  in  some  sit¬ 


uations,  even  with  highly  compressible  text 
objects  and  very  low  client  access  rates. 

•  TCP  multiplexing  can  dramatically  reduce 
network  processing  overhead  on  servers,  by 
nearly  350-to-l  in  one  case. 

•  Some  devices  don’t  offload  much  TCP 
connection  processing  when  users  request 
pages  quickly  (as  on  e-commerce  sites). 

•  Web  front-end  devices  exhibit  big  varia¬ 
tions  in  the  maximum  number  of  connections 
they  handle  and  the  maximum  rates  at  which 
they  move  traffic. 

As  is  often  the  case  with  any  new  market 
category,  there  are  substantial  differences  in 
terms  of  form  factor,  topological  require¬ 
ments  and  supported  features  (see  “One  size 
doesn’t  fit  all’’  at  www.networkworld.com, 
DocFinder:  1725). 

Because  of  those  differences,  and  because 


this  is  a  relatively  new  product  category  and 
no  device  aced  all  tests,  we’re  not  scoring 
products  this  time  around.  As  our  results 
clearly  show,  different  Web  front-end  vendors 
have  put  their  development  dollars  in  differ¬ 
ent  places  (see  vendor  modules  at 
DocFinder:  1726.) 

Two  products  deserve  special  mention. 
Crescendo’s  CN5080-E  is  a  screamer  of  a  per¬ 
former,  turning  in  top  results  in  many  of  our 
tests  due  to  its  use  of  custom  hardware  for  con¬ 
tent  switching.  And  Citrix’s  NetScaler  Appli¬ 
cation  System  combines  high  scalability  with  a 
rich  application-acceleration  feature  set. 

To  the  test 

Although  an  earlier  test  compared  Web 
front-end  features  (see  DocFinder:  1731),  the 
emphasis  this  time  was  on  Web  front-end  per¬ 
formance. 

Tests  fell  into  two  main  areas.  Services  tests 
measured  transaction  rates  and  response  times 
for  a  given  number  of  users,  both  with  and  with¬ 
out  HTTP  compression  applied,  and  with  and 
without  access  control  lists  in  place  and  dis¬ 
tributed  denial-of-service  attacks  underway 
(see  services  test  results,  page  39).  Scalability 
tests  demonstrated  the  limits  of  system  perform- 
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NetResults 


Product 

TMX5000 

NetScaler  Application 
Delivery  System  6.0 

CN-5080E 

I  BIG-IP  6800  I 

Serveriron  450 

DX  3600 

Vendor 

Array  Networks 

www.arraynetworks 

.net 

Citrix  Systems 
www.citrix.com 

Crescendo  Networks 

www.crescendonet 

works.com 

F5  Networks 
www.f5.com 

L 

Foundry  Networks 
www.found rynet.com 

Juniper  Networks 
wwwjuniper.net 

Price 

$33,800 

$52,500 

'  $48,000 

$66,000 

$38,000 

Single  unit,  $55,000; 

:  Four  units,  $220,000 

Pros 

High  transaction  rates; 
economical. 

Highly  scalable  in  tests  of 
concurrent  connections, 
goodput, TCP  multiplexing 
with  long  think  times;  rich 
feature  set. 

Screaming  performance 
delivers  top  placements 
in  most  tests. 

Decent  performer;  rich  j 
feature  set;  good  re¬ 
sponse-time  reduction; 
highly  scalable. 

High  port  density; 
scalable  (more  than  our 
results  suggest);  Cisco 
lOS-like  command-line 
interface. 

j  ActiveN  feature  allows 
:  multiple  boxes  to  work 
together  for  scalability 
and  high  availability;  four- 
;  box  configuration  is  a 
;  strong  performer. 

Cons 

Only  one  interface  each 
for  client-  and  server¬ 
facing  networks  vs.  four 
for  some  competitors; 
compression  cannot  be 
applied  selectively;  no 
per-URL  filtering. 

Sensitive  to  transaction 
rates  in  TCP  multiplexing 
and  HTTP  compression 
tests;  only  two  interfaces 
each  for  client-  and 
server-facing  networks, 
vs.  four  for  some 
competitors. 

No  support  for  caching, 
URL  rewriting  or  IP 
subnet-based  access 
control;  routes  rather 
than  switches  among 
interfaces. 

In  goodput  tests,  system 
design  requires  hundreds 
or  thousands  of  users  to 
reach  top  speeds. 

No  support  at  test  time 
for  HTTP  compression; 
limited  visibility  for  ICMP 
distributed  denial-of- 
service  attacks, 

Limited  horsepower  on  a 
single  box;  response  time 
was  sluggish  until 
Juniper  tuned  memory 
;  settings. 

i 

i 
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ance  in  terms  of  maximum  concurrent  connection 
capacityTCP  multiplexing  ratios  and  maximum  forwarding 
rates  (see  scalability  test  results,  page  42). 

It’s  important  to  note  that  we’re  not  claiming  either  set  of 
tests  represents“real-world’’ behavior  for  all  users.There  are 
too  many  variables  in  application  load  testing  for  a  one- 
size-fits-all  definition  of  that  term  to  be  meaningful  (see 
“Your  mileage  will  var)(  DocFinder:  1727).  Still,  these  tests 
offer  useful  comparisons  in  that  we  offered  the  same  traf¬ 
fic  at  the  same  levels  to  each  device  tested. 

Our  test  bed  emulated  as  many  as  2.35  million  unique 
clients  and  16  Web  servers  (see  “How  we  did  it,’’DocFinder; 
1728).  In  some  events, we  pounded  the  devices  with  traffic 
at  gigabit  Ethernet  LAN  rates,  pushing  traffic  at  rates 
approaching  4Gbps.  In  other  tests,  we  emphasized  scala¬ 


bility  in  terms  of  large  numbers  of  users  or  high  transac¬ 
tion  rates  rather  than  focusing  on  high  forwarding  rates. 

No  device  aced  every  event;  rather,  the  results  suggest  dif¬ 
ferent  vendors  optimized  for  different  aspects  of  device 
performance.  Some  dramatically  offload  servers  from  the 
burden  of  TCP  processing  overhead,  while  others  use 
HTTP  compression  to  reduce  response  time.  Devices  also 
vary  widely  in  terms  of  the  scalability  of  connection 
counts  and  “goodput”  rates,  which  reflect  how  quickly  a 
device  transmitted  request  HTTP  object  back  to  the  client. 

Faced  with  all  these  differences,  the  best  advice  we  can 
offer  in  choosing  a  Web  front-end  device  for  your  network 
is  to  assess  which  of  these  metrics  matters  most,  and  go  for 
the  box  that  delivers  the  biggest  benefit  in  that  area. 


Thanks 

Network  World  is  grateful  for  the  support  of 
vendors  that  provided  test  bed  infrastructure  for 
this  project.  Spirent  Communications  supplied 
its  Avalanche  and  Reflector  2500  traffic  genera¬ 
tor/analyzers  as  well  as  scripting  and  engineering 
support.  Apcon  supplied  its  Intellapatch  64  virtual 
patch  panel  and  Extreme  Networks  supplied  a 
Summit  7i  gigabit  Ethernet  switch. 

Newman  is  president  of  Network  Test,  an  independent 
engineering  services  consultancy  in  Westlake  Village,  Calif 
He  can  be  reached  at  dnewman@networktest.com. 


The  Web 
front-end 
name  game 


The  squeeze  play  is  all  part  of  the  game 

With  compression,  you’ll  win  some  and  lose  some. 


As  with  any  new  tech¬ 
nology,  there's  consid¬ 
erable  marketplace 
confusion  surrounding 
these  devices,  starting  with 
what  they're  called.  We 
refer  to  these  products  as 
Web  front-end  devices 
because  they  speed  the 
delivery  of  content  from 
Web  server  farms  to  end 
users  requesting  that  con¬ 
tent.  But  they  go  by  other 
names  as  well,  including 
application  accelerators, 
content  switches  and  appli¬ 
cation  delivery  controllers. 
Terms  with  “application"  or 
“content"  in  their  names 
may  be  the  most  apt,  be¬ 
cause  these  devices  handle 
many  application  types,  not 
just  Web  requests. 

Whatever  they’re  called, 
these  devices  differ  from 
conventional  load  balancers 
in  many  ways.  New  fea¬ 
tures  include  Layer-7 
switching,  TCP  multiplexing, 
HTTP  compression,  URL 
inspection  and  rewriting, 
caching,  SSL  capabilities 
and  surge  protection. 

Not  all  devices  offer  all 
these  features,  but  the 
majority  cover  at  least 
some.  For  a  full  breakdown 
of  what  each  product  has  to 
offer  based  upon  vendor 
responses  to  our  survey, 
check  out  our  online  fea¬ 
tures  comparison  at 
www.networkworld.com, 
DocFinder:  1722. 


BY  DAVID  NEWMAN,  NETWORK  WORLD  LAB  ALLIANCE 

While  scalability  tests  help  to  size  a  Web  front-end  device  for 
a  particular  network  (see  scalability  test  results, page  42), ser¬ 
vices  tests  are  arguably  more  important,  because  they  more 
closely  approximate  application  behavior. 


In  this  series  of  tests,  we  measured  transaction 
rates  and  response  times  for  a  given  number  of 
users,  both  with  and  without  HTTP  compres¬ 
sion  applied,  and  again  with  and  without  ac¬ 
cess  control  lists  (ACL)  in  place  and  distrib¬ 
uted  denial-of-service  (DoS)  attacks  underway 
The  most  contentious  area  of  this  project  was 
the  effect  of  HTTP  compression  on  application 
performance  (read  about  our  attempts  to  get 
the  right  user  mix  to  test  compression  at 
www.networkworld.com,  DocFinder:  1 723). 
Compression  seems  like  a  simple  enough 


idea:  Put  the  squeeze  on  data  headed  to 
clients,  and  it  will  arrive  faster.  Because  smaller 
compressed  objects  take  less  time  to  send  than 
larger  uncompressed  ones,  response  times 
should  fall  and  transaction  rates  may  rise. 

That’s  the  theory,  anyway.  In  practice,  our 
results  suggest  compression  is  only  effective 
under  some  circumstances.  It  takes  time  to 
compress  an  object,  raising  concerns  as  to 
whether  the  delay  outweighs  the  bandwidth 
savings. 

Typically,  compression  makes  the  most 


sense  for  clients  with  low-speed  access,  such 
as  those  coming  in  via  dial-up  or  cable  or 
DSL  circuits.  But  add  a  little  bit  of  LAN  traffic 
to  the  mix,  and  compression  benefits  can  dis¬ 
appear.  Worse,  in  some  cases  HTTP  compres¬ 
sion  degrades  response  time  and  transaction 
rates  —  even  when  only  dial-up  and  cable  or 
DSL  users  are  present. 

We  compared  the  results  of  tests  run  with 
compression  disabled  and  enabled.  Spirent 
Communications’  Avalanche  and  Reflector 
test  tools  offered  the  same  traffic  in  both 
cases,  and  we  measured  transaction  rates 
and  response  times  to  determine  the  effects 
of  compression. 

We  ran  the  tests  with  two  traffic  loads:  first 
with  a  500KB  text  object,  and  again  with  the 
home  pages  from  five  popular  Web  sites  — 
Amazon.com,  the  BBC,  UCLA,  the  White 
House  and  Yahoo  —  along  with  all  images 
and  other  objects  from  those  pages. We  chose 
the  500KB  text  object  because  (at  least  in  the¬ 
ory)  it  was  highly  compressible,  and  the  five- 
site  test  because  it  represented  a  more  typical 


Compression  and  response  time  with  a  500KB  text  olyect 

HTTP  compression  reduced  response  time  for  all  devices  handling  1,000  concurrent  users,  but  it  was  a  different  story  with  12,000 
users.  Although  the  Crescendo,  F5  and  Juniper  four-box  systems  continued  to  reduce  response  time  when  we  enabled  compression, 
the  other  devices  took  longer  to  serve  content  with  HTTP  compression  enabled  than  without  it.  Foundry  Networks  did  not  support 
HTTP  compression  at  the  time  we  tested  its  product. 
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mix  of  text,  images  and  other  content  types  found  in  pro¬ 
duction  settings. 

Foundry's  Serverlron  does  not  support  HTTP  compres¬ 
sion,  though  the  vendor  says  it  plans  to  do  so  this  quarter. 
We  asked  all  other  vendors  to  enable  compression  for  dial¬ 
up  and  cable  or  DSL  users. 

We  expected  tests  with  500KB  text  objects  to  show  the 
biggest  benefit  from  HTTP  compression,  but  that  was  not 
always  the  case.  As  it  turns  out,  getting  any  benefit  from 
compression  depends  on  transaction  rates. 

In  tests  with  1,000  concurrent  users  and  relatively  low 
transaction  rates,  all  products  showed  significantly  re¬ 
duced  response  time  when  we  enabled  HTTP  compres¬ 
sion.  Juniper’s  single-box  solution  edged  out  Citrix’s  device 
for  the  biggest  reduction  in  response  time,  with  both  ven¬ 
dors  delivering  data  more  than  2.5  times  faster  with  com¬ 
pression  enabled.  For  users  on  low-speed  lines,  this  is  a 
very  significant  speed  boost. 

We  added  a  12,000-user  test  because  there  was  relatively 
little  differentiation  among  transaction  rates  in  the  test 
with  1,000  users.  For  all  devices,  rates  for  the  1,000-user 
tests  hovered  between  11  and  15  transactions  per  second 
regardless  of  whether  HTTP  compression  was  enabled.  We 
don’t  necessarily  expect  HTTP  compression  to  increase 
transaction  rates,  but  the  lack  of  differentiation  suggests 
the  test  doesn’t  push  any  of  the  boxes  all  that  much.  A 
good  benchmark  should  be  stressful. 

Ideally,  response  times  for  compressed  and  uncom¬ 
pressed  data  should  have  been  about  the  same  in  the 
1,000-  and  12,000-user  tests.  Not  only  was  this  not  the  case, 
but  in  some  instances  response  times  were  much  higher 
with  compression  than  without  it. 

The  Array  Citrix  and  Juniper  single-box  solutions  showed 
increased  rather  than  decreased  response  times.  Citrix’s 
NetScaler  Application  Delivery  System  and  Array’s  TMX5000 
had  the  most  trouble,  raising  response  times  by  factors  of  3. 1 
and  2.6  respectively  Just  as  the  easier  test  sped  up  delivery 
of  data,  these  results  essentially  mean  a  heavily  loaded 
device  would  deliver  data  roughly  three  times  slower. 

Citrix  supplied  Version  6.0  of  its  software  for  testing  but 
says  Version  6.1,  now  generally  available,  produces  a 
much  lower  response  time.  In  internal  tests,  Citrix  says,  it 
sees  response  time  fall  from  34  seconds  to  18  seconds 
when  HTTP  compression  is  enabled  with  12,000  users; 
we  did  not  verify  this. 

Not  all  devices  struggled  in  this  test.  The  Crescendo,  F5 
and  Juniper  four-box  solutions  all  reduced  response  time 


by  some  degree,  just  as  they  did  in  the  earlier  tests. 
Crescendo’s  device  did  especially  well  here  because  of  its 
use  of  hardware-based  HTTP  compression  and  forward¬ 
ing,  which  made  its  response  times  among  the  lowest  and 
most  consistent  across  all  tests. 

Citrix  representatives  raised  a  number  of  objections  to  this 
test.  First,  they  asserted  that  the  Citrix  device  would  have 
done  much  better  if  we  had  enabled  both  compression  and 
caching.  That’s  certainly  plausible;  caching  would  have 
freed  up  the  Citrix  box  from  having  to  fetch  all  objects  from 
servers,  and  also  might  have  given  the  device  a  chance  to 
precompress  objects.  With  caching,  we  might  not  have 
stressed  the  NetScaler  Application  Delivery  System’s  com¬ 
pression  engine  nearly  as  much  as  we  did.  The  Array  F5, 
Foundry  and  Juniper  devices  also  support  caching  and 
might  also  have  improved  their  results. 

Second,  Citrix  representatives  said  the  test  was  “not  real- 
world”  because  no  customer  network  has  12,000  users 
simultaneously  requesting  500KB  objects.That’s  correct,  but 
misses  a  key  point:  Just  as  we  test  switches  or  routers  with 
loads  consisting  exclusively  of  all  small  or  large  packets,  the 
goal  of  an  application  load  test  is  to  describe  limits  of  device 
performance. To  find  those  limits,  tests  should  be  stressful. 

Third,  Citrix  noted  that  the  Avalanche  client  emulator 
does  not  cache  objects,  while  a  real  browser  would.  Here 
again,  browser  caching  would  have  considerably  light¬ 
ened  the  load  on  all  devices,  including  the  NetScaler 
Application  Delivery  System  —  and  the  test  would  have 
been  considerably  less  stressful. 

While  there  is  merit  to  all  of  Citrix’s  objections,  we  don’t 
see  this  as  a  torture  test.  Even  with  12,000  concurrent 
users,  transaction  rates  were  still  very  low  because  of  the 
low  access  speeds  involved. 

Citrix’s  device  handled  130  transactions  per  second  in 
the  uncompressed  test,  and  65  transactions  per  second 
with  HTTP  compression  enabled.  In  contrast,  the 
Crescendo,  F5  and  Juniper  four-box  solution  showed 
increased  transaction  rates  with  HTTP  compression 
enabled.  But  even  the  fastest  box  —  Crescendo’s,  with 
compression  enabled  —  handled  fewer  than  200  transac¬ 
tions  per  second  in  this  event.  Further,  all  clients  came  in  at 
rates  of  1.5Mbps  or  less,  and  also  waited  60  seconds  be¬ 
tween  requests.  Those  are  hardly  the  kinds  of  conditions 
we’d  expect  to  lead  to  performance  degradation. 

We  also  used  five  Web  sites’  home  pages  to  measure  re¬ 
sponse  times  and  transaction  rates.  In  this  test,  there  were 
100,000  concurrent  users  active. 


Because  the  home  pages  combine  text  with  less-com¬ 
pressible  or  uncompressible  objects  such  as  graphics  files, 
we  expected  to  see  a  smaller  difference  between  the  un¬ 
compressed  and  compressed  test  cases. 

That’s  generally  what  happened  (see  graphic  below). 
With  the  500KB  text  object,  compression  cut  response  time 
in  half.  With  the  five-site  test,  differences  between  the  prod¬ 
uct  results  the  latter  in  response  time  were  more  typically 
around  20%  or  30%  —  still  significant,  but  nowhere  near  as 
much  as  with  highly  compressible  text  objects  alone. 

Crescendo’s  device  showed  the  greatest  benefit  in  re¬ 
sponse  time, but  that’s  partially  because  its  page  response 
time  without  compression  was  relatively  high.  Even  so. 
Crescendo’s  CN-5080E  delivered  the  second-lowest 
response  time  in  this  test,  about  400  milliseconds  behind 
Juniper’s  four-box  solution. 

On  the  other  hand,  Juniper’s  single-box  solution  turned 
in  by  far  the  highest  page  and  URL  response  times  of  any 
device  tested.  Further, a  single  DX  3600  showed  increased 
response  time  when  we  enabled  HTTP  compression. 
Judging  from  its  high  CPU  utilization  during  this  test,  the 
load  of  100,000  users  all  asking  for  five  home  pages  with 
more  than  200  objects  was  simply  too  heavy  a  load  for  a 
single  DX  3600. 

Most  of  the  other  other  devices  weren’t  far  behind  the 
Juniper  four-box  and  Crescendo  devices,  with  page 
response  times  averaging  between  20  and  25  milliseconds. 
In  all  cases  except  that  of  Juniper’s  one-box  solution,  re¬ 
sponse  times  improved  with  HTTP  compression  enabled. 

We  also  measured  transaction  rates  with  the  five^ite  load 
(see  “Compression  and  transaction  rates  with  five  popular 
Web  sites,”  below).  The  results  were  interesting  in  several 
ways.  Unlike  the  500KB  text-object  tests,  there  wasn’t  much 
difference  between  test  cases  with  and  without  compres- 
sion.That’s  not  too  surprising, considering  that  the  amount 
of  compressible  data  was  a  much  smaller  part  of  the  total 
than  in  the  500KB  text-object  tests  (where  everything  was 
compressible). 

Strangely,  transaction  rates  for  Foundry’s  Serverlron  in 
this  five-site  test  were  much  lower  than  those  of  most  of  the 
other  devices.  Foundry  also  was  puzzled  by  these  results. 
As  in  other  tests,  we  obtained  higher  rates  when  running 
earlier  versions  of  Serverlron  code.  Most  other  vendors 
handled  about  10,500  transactions  per  second. 

We  used  results  from  the  five-site  tests  as  baselines  for  two 
other  measurements:  performance  with  ACLs  applied,  and 

See  Compression,  page  42 


Compression  and  response  time  with  rive  popuiar  Web  sites 

The  effects  of  HTTP  compression  were  less  pronounced  when  handling  the  home  pages  from  five  popular  Web  sites  —  Amazon.com,  the  BBC,  UCLA,  the  White 
House  and  Yahoo  —  than  with  pure  text  traffic.  That's  because  these  sites  involve  less-compressible  or  uncompressible  content  such  as  images. 

Foundry  Networks  did  not  support  HTTP  compression  at  the  time  we  tested  its  product. 


Page  response  time  (in  milliseconds  —  lower  numbers  are  better) 
3,5Q0 


Per  URL;  100,000  users,  no  compression  Per  URL;  100,000  users,  with  compression 


Airay 


1  Citrix 


I  Crescendo 


IF5 


I  Foundry 


I  Juniper,  one  system 


I  Juniper,  four  systems ; 
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Fast  Apps  without  the  Box 


Akamai  Application  Acceleration  services  can  help  reduce  your  total  cost  of  ownership  with  fewer  boxes,  fast. 
To  learn  how  Akamai  customer  Cathay  Pacific  saved  $1.5  million.  Visit  www.akamai.com/cathaypacific 
or  calM. 877.425.2624 
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performance  while  under  dis¬ 
tributed  DoS  attack.  In  both 
cases,  the  i^oal  was  to  determine 
wliether  there  was  any  perform¬ 
ance  penalty  from  either  of 
these  conditions. 

In  the  ACL  tests,  we  asked  ven¬ 
dors  to  configure  their  devices 
with  20  access-control  rules.  Ten 
of  the  rules  blocked  traffic  from 
IP  subnets, and  10  blocked  traffic 
headed  to  specific  URLs. 

Not  all  vendors  were  able  to  do 
this.  Array’s  TMX5000  cannot 
block  traffic  to  given  URLs,  so  we 
instead  applied  rules  denying 
access  from  20  source  IP  net¬ 
works.  In  contrast.  Crescendo’s 
CN-5080E  supports  only  filtering 
on  URLs;  it  cannot  block  traffic 
from  given  source  subnets.  In 
Crescendo’s  case,  we  used  rules 
blocking  access  to  20  URLs. 

We  also  asked  vendors  to  con¬ 
figure  safeguards  against  distrib¬ 
uted  DoS  attacks,  not  only  for  this 
test,  but  for  all  tests  we  conducted. 
On  the  theory  that  “attackers 
don’t  make  appointments,”  we 
did  not  tell  vendors  what  attacks 
we  would  use,  either  before  or 
after  the  test. 

There  was  good  news  in  both 
the  ACL  and  distributed  DoS 
results  for  all  vendors.  With  ACLs 
applied,  response  times  and 
transaction  rates  for  all  devices 
were  virtually  identical  to  their 
baseline  numbers.  At  least  with 
20  rules  applied,  there  doesn’t 
seem  to  be  a  performance  cost 
to  ACLs  for  any  device. 

The  distributed  DoS  results  also 
were  nearly  identical  to  the  base¬ 
line  numbers,  but  this  test  did  re¬ 
quire  changes  on  the  part  of  a 
couple  of  vendors.  Crescendo’s 
system  rebooted  the  first  time  we 
launched  the  distributed  DoS 
attack,  but  a  later  (generally  avail¬ 
able)  software  release  from  the 
vendor  corrected  the  problem. 
Juniper’s  systems  also  became 
unresponsive  during  this  test  until 
the  vendor  tweaked  its  memory 
management  setting-s. 

All  systems  informed  us  they 
were  under  attack,  although  with 
varying  levels  of  detail.  We  used 
two  attacks  in  this  test,  one  based 
on  TCP  and  another  based  on 
Internet  Control  Messaging  Pro¬ 
tocol.  Foundry’s  Serverlron  re¬ 
ported  on  both  forms  of  attack, 
but  we  needed  to  delve  down 
into  a  debug  prompt  to  see 
whether  the  .system  saw  the 
ICMP  attack. 


Speed  traps 

Scalability  tests  push  Web  front-end  box  limits. 


BY  DAVID  NEWMAN,  NETWORK  WORLD  LAB  ALLIANCE 

While  our  services  tests  assessed  ho’w  well  Web  front-end 
devices  handled  application  traffic,  our  scalability  tests  can 
help  properly  size  one  of  these  products  for  a  particular 
network’s  needs. 


The  scalability  tests  demonstrated  the  limits 
of  system  performance  in  terms  of  maximum 
concurrent-connection  capacity  TCP  multi¬ 
plexing  ratios  and  maximum  forwarding  rates. 
In  all  these  areas,  the  test  results  show  big  dif¬ 
ferences  among  devices. 

In  the  maximum  concurrent-connections 
test,  our  goal  was  to  determine  how  many 
client  connections  a  device  could  handle. 
There  were  major  differences  among  ven¬ 
dors  in  this  test. 

To  determine  connection  count,  we  config¬ 
ured  Spirent’s  Avalanche  to  emulate  as  many 
as  4  million  clients  mnning  Internet  Explorer. 
Each  client  opened  a  TCP  connection  and 
requested  a  1KB  Web  object  from  the  Web 
front-end  device’s  virtual  one  or  more  IP  ad¬ 
dresses  (just  as  a  single  IP  address  for,  say 
www.amazon.com  hides  dozens  or  hundreds 
of  servers,  all  these  devices  used  one  virtual  IP 
address  as  a  proxy  for  the  back-end  servers  on 
the  test  bed). 

After  receiving  the  object,  clients  sat  idle  for 
60  seconds  before  requesting  another  object 
over  the  same  connection.  This  long  “think 
time,”  how  long  a  client  waits  before  request¬ 
ing  the  next  page,  allowed  us  to  build  up 
connection  count.  For  all  vendors,  we  kept 
adding  new  connections  until  the  device 
failed  to  complete  some  transactions  or  until 
we  reached  4  million  connections,  the  limit 
of  our  test  bed.  Even  though  our  goal  was  a 
Layer-4  measurement  —  the  number  of 
established  TCP  connections  —  we  used 
Layer-7  switching  in  this  and  all  other  tests. 

Citrix’s  NetScaler  Application  Delivery 
System  set  up  4  million  concurrent  TCP 
connections,  the  limit  of  our  test  bed  (see 
“Maximum  concurrent  TCP  connections,” 
DocFinder  1740).F5’s  BIG-IP  was  next, setting 
up  about  3.5  million  connections,  followed  by 
Foundry’s  Serverlron  450  with  about  2.7  mil¬ 
lion  connections. 

juniper’s  DX  3600  topped  out  at  2  million 
connections  with  four  systems  working 
together,  and  500,000  concurrent  connec¬ 
tions  on  a  single  box.  The  vendor  says  its 
appliance  has  a  hard-coded  limit  of  500,000 
connections  per  system,  something  reflected 
in  our  test  results. 

The  Crescendo  and  Array  systems  each 
sustained  fewer  than  1  million  connections. 


Crescendo  says  its  device  has  a  hard-coded 
limit  of  1  million  connections,  a  few  of  which 
are  reserved  for  internal  use. 

Foundry  objected  to  our  test  methodology 
noting  that  we  were  stressing  a  limit  of  the 
Serveriron’s  connection-establishment  rate 
rather  than  its  concurrent-connection  capac¬ 
ity.  Foundry  says  the  Serverlron  can  set  up 
more  than  7  million  concurrent  connections 
when  it  handles  connection-establishment 
requests  at  a  lower  rate,  or  with  a  longer  think 
time  between  client  requests. 

We  agree  that  rate  and  capacity  are  differ- 


TCP  midtiplexing  efTiciency 


ent  variables,  and  ideally  should  be  mea¬ 
sured  one  at  a  time.  Unfortunately,  time  con¬ 
straints  prevented  us  from  rerunning  these 
tests  on  all  devices  at  a  lower  rate.  The  num¬ 
bers  we  found  are  still  valid,  in  that  we  tested 
all  devices  the  same  way,  but  we  take 
Foundry’s  point  that  its  number  (and  per¬ 
haps  that  of  other  devices)  reflects  connec¬ 
tion  establishment  rate,  not  just  capacity 


TCP  multiplexing 

Although  every  device  in  this  test  supports 
TCP  multiplexing,  the  300-fold  differences  in 
the  devices’  results  clearly  show  that  not  all 
TCP  multiplexing  engines  are  built  the  same. 

TCP  multiplexing  can  offer  a  powerful  per¬ 
formance  boost  by  offloading  computation¬ 
ally  intense  TCP  processing  from  servers.  It’s 
such  an  important  feature  that  we  used  it  as 
one  of  two  criteria,  along  with  Layer-7 
switching,  that  all  devices  had  to  support. 

To  measure  TCP  multiplexing,  we  config¬ 
ured  the  Avalanche  test  tool  to  set  up  and 
maintain  100,000  TCP  connections  from 
emulated  clients.  As  in  the  tests  of  response 
time  with  and  without  HTTP  compression, 
clients  requested  home  pages  from 
Amazon.com,  the  BBC,  UCLA,  the  White 
House  and  Yahoo.  We  compared  the  num¬ 
ber  of  client-side  connections  (always 
100,000)  with  the  number  of  server-side 
connections  over  60  seconds  to  determine 
the  TCP  multiplexing  ratio. 


The  ratio  of  client-to-server  connection 
counts  may  be  dependent  on  user  think 
times.  For  some  devices,  think  time  has  a 
huge  impact  on  multiplexing  ratio;  for  oth¬ 
ers,  it  barely  matters. 

We  began  with  a  3-second  think  time. That 
may  not  sound  like  much  of  a  delay,  but  it 
does  reflect  the  fact  that  visitors  to  e-com- 

See  Scalability,  page  44 


TCP  multiplexing  —  the  ratio  of  client-side  to  server-side  TCP  connections  —  may 
depend  on  “think  time,"  the  amount  of  time  users  wait  between  requests.The  Citrix, 
F5  and  Juniper  four-box  systems  delivered  much  higherTCP  multiplexing  ratios  with 
a  60-seconcl  user  think  time  than  with  a  3-second  think  time.  For  most  other  systems, 
T CP  multiplexing  ratios  were  about  the  same,  regardless  of  think  time. 


Number  of  client  connections  per  single  server  connection 


Array  Citrix  Crescendo  F5  Foundry  Juniper,  one  system  Juniper,  four  systems 
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HP  ProLiant 
MLnOG3  SERVER 


$858 


■  Intel*  Pentium®  4  Processor  (3GHz,  800MHz)  for 
outstanding  performance 

•  Optimized  for  SMB’s  running  small  business  applications 

•  80GB  SATA  Hard  Drive  for  maximum  capacity* 

■  Remote  management  option  for  greater  efficiency  and  controi* 

•  1GB  ECC  memory:  Advanced  ECC  memory  heips  protect 
against  memory  failures 

•  1-year  parts,  labor  and  next-business-day  on-site  support 
GET  EVEN  MORE 

‘  1-year  Care  Pack;  24x7  4-hour  on-site  response,  add  $63 


OUTGROW  YOUR  OFFICE  BEFORE 
YOU  OUTGROW  YOUR  SERVER. 


The  HP  ProLiant  MLIIO  G3  server,  powered  by  the  Intel®  Pentium®  4  Processor.  Reliable.  Affordable.  Expandable.  The  future  may  be  hard  to  predict,  but  with 
the  ProLiant  MLllO,  it's  easy  to  be  prepared.  Designed  to  easily  expand,  this  server  will  keep  your  employees  connected  and  productive  even  as  your 
business  grows.  Every  ProLiant  server  undergoes  rigorous  testing  to  help  insure  dependability  and  a  long  life.  And  since  it's  an  HP  Smart  Buy,  it's  not  only 
affordable,  it  also  comes  ready  to  run  with  just  what  you  need  to  get  started.  For  simple  backup,  add  the  HP  StorageWorks  DAT  40  USB  internal  tape 
drive,  offering  plug-and-play  functionality.  The  HP  ProLiant  MLllO  and  DAT  40  USB  drive.  Two  more  reliable  products  from  the  HP  Smart  Office  Portfolio. 


SMART  ADVICE  >  SMART  TECHNOLOGY  >  SMART  SERVICES 


COO  HP  StorageWorks  DAT  40 
^377  USB  INTERNAL  TAPE  DRIVE 


Easily  connects  to  the  MLl  10  internal  USB  port 
No  more  SCSI  interface  costs  or  complications 
Same  performance,  capacity  and  reliability  as  DAT  40  SCSI 
Includes  HP’s  exclusive  One-Button  Disaster  Recovery  for 
quick  restores 


Call  1-800-888-5967^^  ';?# 


Click  hp.com/go/ML1  lOmogiZ 
Contact  your  local  reseller 


Pnces  shown  are  HP  Direct  prices;  reseller  anr)  retail  prices  may  vary.  Prices  shown  are  subject  to  change  and  do  not  inciude  appiicabie  state  and  iocai  taxes  or  shipping  to  recipient's  address.  Offers  cannot  be  combined  with  any  other  offer  or  discount,  are  good  while  supplies  last  and  are  available  from  HP  Direct  and 
participatingHPresellers.  All  featured  offers  availableinU.S.  only.  Savings  based  on  HPpublished  list  price  of  configure-to-orderequivalent($958 -$100  Instant  savings  =  SmartBuy  price  $868),  Certain  warranty  restrictions  and  excl  usionsmay  apply.  For  complete  warranty  details,  call  l-800-3->5-1518(U.S.)  1.  For 
hard  drives,  GB=1  Billion  Bytes.  2.  Optional  Remote  Insight  Lights-Out  Editionll(RILOEII).  Intel,  Intel  Inside,  the  Intel  Inside  Logo  and  Intel  Pentium  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  theUnited  States  and  other  countries,  ©2005  Hewlett  Packard  DevolopmeritCompany,L.P. 
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TCP  multiplexing  and  transaction  rates 

Even  though  we  offered  HTTP  requests  at  the  same  rates  to  all  devices,  the  number 
of  transactions  delivered  per  second  (tps)  was  very  different.  Crescendo  delivered 
the  highest  rates  in  tests  with  a  3-second  think  time.  Foundry's  Serveriron  had  a 
rate  of  0  tps  with  3-second  think  times;  its  transaction  processing  was  very  periodic, 
and  we  repeatedly  observed  zero  transactions  completed  during  the  steady-state 
phase  of  the  test.  With  a  60-second  think  time,  all  devices  except  Array's,  Foundry's 
and  Juniper's  one-box  solution  ran  at  roughly  similar  rates. 

Transactions  per  second 

120,000 


100,000 


.  J 

Hi  Array 

Hi  Foundry 

■■Citrix 

■■  Juniper,  one  system 

Hi  Crescendo 

Hi  Juniper,  four  systems 

S-second  think  time 


60-second  think  time 
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merce  sites  tend  to  move  through  pages 
very  quickly.  One  study  of  QoS  for 
e-commerce  sites  conducted  at  the 
University  of  Wisconsin  (www.network 
world.corn,  DocFinder;  1730)  assumed 
an  average  think  time  of  2.5  seconds 
per  page,  just  below  the  3-second  figure 
we  used.  (You  can  perform  your  own 
benchmark  by  observing  how  quickly 
you  move  through  pages  next  time  you 
shop  online.") 

We  repeated  the  test  with  a  60-second 
think  time,  a  more  appropriate  interval 
for  Web  pages  containing  lots  of  text. 

(If  you’re  reading  this  online,  consider 
how  long  it’s  been  since  you  loaded 
this  page.) 

Most  devices  showed  improved  TCP 
multiplexing  ratios  with  longer  think 
times.  The  standout  was  Citrix’s  Net- 
Scaler  Application  Delivery  System, 
which  mapped  346  client  connections 
onto  each  server  connection  when  we  used  60-second 
think  times.  That’s  a  huge  reduction  in  the  workload  for 
servers  behind  this  box. 

It  was  a  very  different  story  when  we  used  a  3-second 
think  time  with  the  NetScaler  Application  Delivery 
System.  The  device  set  up  just  three  client  connections 
per  server  connection,  a  hundredfold  reduction  in  TCP 
multiplexing  efficiency  compared  with  the  60-second 
case.  Citrix  says  it  normally  delivers  ratios  much  higher 
than  3-to-l  and  cites  as  the  culprits  the  lack  of  caching 
and  the  high  transaction  rates  in  our  tests. 

Crescendo’s  CN-5080E  offloaded  TCP  connections  by 
nearly  100-to-l  with  a  60-second  think  time  in  place.  The 
vendor  was  disappointed  to  see  “only”  a  60-to-l  offload 
with  a  3-second  think  time.  We’re  also  unable  to  explain 
that  result;  in  earlier  tests  with  a  different  software  release, 
the  Crescendo  box  repeatedly  set  up  1,024  server-side 
connections  regardless  of  think  time  (even  with  zero 
think  time). 

Foundry’s  Serveriron  also  delivered  some  mysterious 
multiplexing  results.  It  had  regularly  set  up  TCP  multi¬ 
plexing  ratios  of  50-to-l  in  earlier  tests,  regardless  of  think 


HTTP  Goodput 

"Goodput''  describes  application-layer  perform¬ 
ance  by  measuring  forwarding  rate,  minus  any 
data  lost  or  retransmitted.  Crescendo  posted  the 
highest  goodput  of  any  device  tested,  but  results 
for  the  Array  and  Citrix  systems  also  are 
noteworthy,  in  that  both  devices  came  close  to 
the  theoretical  maximums  for  their  lesser  number. 


Vendar 

Goodput  in  Mbps 

No  device  (baseline,  four  interfaces) 

3,804 

Array  (one  interface) 

963 

Citrix  (two  interfaces) 

1,900 

Crescendo  (four  interfaces) 

3,244 

F5  ffour  interfaces) 

2,594 

Foundry  (four  interfaces) 

1,588 

Juniper,  one  system  (one  interface) 

629 

Juniper,  four  systems  (four  interfaces) 

2,120 

time.  But  after  an  upgrade  of  the  Serveriron  code,  the 
ratio  fell  to  slightly  more  than  2-to-l. Foundry  was  unable 
to  explain  the  difference  and  was  also  unable  to  repro¬ 
duce  this  outcome  in  its  own  tests. 

Other  vendors  showed  relatively  little  benefit  from  TCP 
connection  count.  For  example.  Juniper’s  single-box 
results  showed  less  than  a  2-to-l  multiplexing  ratio, 
regardless  of  think  time.  With  four  Juniper  devices,  the 
multiplexing  ratio  improved  to  5-to-l  with  a  60-second 
think  time. 

To  understand  why  we  saw  such  big  differences  in 
multiplexing  ratios,  it’s  helpful  to  see  the  rate  at  which 
each  box  handled  transactions  (see  “TCP  multiplexing 
and  transaction  rates,” above).  Note  that  emulated  clients 
attempt  to  request  objects  at  the  same  rate  with  all 
devices;  thus,  the  differences  in  transaction  rates  are 
entirely  a  function  of  how  fast  each  device  responds. 
With  the  notable  exception  of  Juniper’s  DX  3600,  devices 
that  processed  transactions  at  a  higher  rate  achieved 
higher  TCP  multiplexing  ratios. 

One  caveat  before  leaving  the  topic  of  TCP  multiplex¬ 
ing:  Just  because  a  device  offloads  TCP  connections  from 
servers  in  a  100-to-l  ratio,  it  doesn’t  mean  100  servers  can 
be  replaced  with  just  one.  Many  other  factors  come  into 
play,  including  server  CPU  and  memory  utilization,  net¬ 
work  utilization  and  application  behavior.  Even  taking 
these  factors  into  account,  TCP  multiplexing  still  can 
bring  big  benefits  to  beleaguered  server  farms. 

Not  so  goodput 

Some  of  the  devices  tested  have  16  Gigabit  Ethernet 
interfaces  or  more,  begging  the  question  as  to  how 
quickly  they  forward  data. 

To  find  out,  we  measured  each  device’s  “goodput”  — 
defined  in  RFC  2647  as  the  amount  of  data  received  minus 
any  data  lost  or  retransmitted.  In  the  context  of  this  test, 
goodput  is  a  Layer-7  measurement,  reflecting  how  quickly  a 
device  transmits  requested  HTTP  objects  back  to  the  client. 

We  measured  goodput  by  setting  up  100  emulated 
clients,  each  requesting  1MB  objects  from  servers  behind 
each  device  under  test.  As  in  all  other  tests,  we  used  differ¬ 
ent  patterns  in  the  URL  for  each  object,  forcing  devices  to 
make  Layer-7  switching  decisions. 

We  began  with  a  baseline  measurement  with  no  device 
present  to  demonstrate  the  channel  capacity  of  our  test 
bed.  The  goodput  in  this  back-to-back  test  was  about 


3.8Gbps,  close  to  the  theoretical  maxi¬ 
mum  rate  when  factoring  for  Ethernet,  ip 
TCP  and  HTTP  overhead. 

None  of  the  devices  came  close  to  the 
baseline  measurement,  but  there  are 
some  mitigating  circumstances  (see 
“HTTP  goodput,”  below). The  Array,  Citrix 
and  Juniper  single-box  devices  had 
fewer  than  four  client  and  four  server 
interfaces;  thus,  they  could  not  achieve 
the  same  data  rates  as  in  our  back-to- 
back  tests.  The  Array  and  single-box 
Juniper  entries  each  had  one  client  inter¬ 
face;  the  Citrix  device  had  two.  Both  the 
Array  and  Citrix  results  are  much  better 
than  they  look  in  comparison  with  four- 
interface  boxes;  both  vendors’  devices 
ran  at  the  maximum  rate  possible  given 
their  interface  counts. 

Even  so,  we’re  a  bit  surprised  that  the 
devices  didn’t  come  closer  to  our  base- 
line.The  fastest  box  was  Crescendo’s  CN- 
5080E,  the  only  device  to  crack  the 
3Gbps  line,  because  of  its  use  of  hard¬ 
ware  acceleration  for  packet  forwarding. 

F5’s  BIG-IP  was  next  fastest,  with  a  goodput  of  around 
2.5Gbps.  'The  vendor  says  the  BIG-IP’s  goodput  partly 
depends  on  the  number  of  clients  it  sees.  F5  reran  our 
tests  internally  with  1,000  and  10,000  users,  and  says  it 
achieved  goodput  of  as  much  as  3.2Gbps.  We  did  not 
attempt  to  replicate  this,  but  it  does  suggest  that  differ¬ 
ent  user  counts  could  affect  goodput.  (On  the  other 
hand,  goodput  topped  out  at  around  25  to  30  users  in 
our  baseline  tests  with  no  device  in  line;  any  greater 
number  of  users  had  no  effect,  because  the  network  was 
already  saturated.) 

Foundry’s  Serveriron  450  moved  traffic  at  around 
1.9Gbps,or  about  half  the  theoretical  maximum  possible, 
a  result  Foundry  replicated  internally  Unfortunately,  our 
production  schedule  did  not  allow  time  for  further  exami¬ 
nation.  Earlier  builds  of  Serveriron  code  delivered  goodput 
of  at  least  2.7Gbps,  and  the  vendor  says  it  has  achieved 
rates  in  excess  of  3Gbps  in  its  internal  tests. 

Juniper’s  four-box  setup  was  the  slowest  of  the  sys¬ 
tems  with  four  interfaces.'The  vendor  was  not  surprised 
by  this  result,  and  says  it  considers  other  acceleration 
features,  such  as  caching  and  compression,  far  more 
important.  We  agree. 

Goodput  is  a  useful  way  to  describe  system  capacity, 
but  given  that  few  if  any  users  run.  their  networks  at 
maximum  utilization,  forwarding  rates  are  probably  less 
important  than  results  of  other  tests.  ■ 


Lab  Alliance 


■  Newman  is  a  member  of  the  Network  World  Lab  Alliance,  a 
cooperative  of  the  premier  testers  in  the  network  industry,  each 
bringing  to  bear  years  of  practical  experience  on  every  test.  For 
more  Lab  Alliance  information,  including  what  it  takes  to  become 
a  partner,  go  to  www.networkworld.com/ailiance, 

Other  members;  Mandy  Andress,  ArcSec;  John  Bass,  Centennial 
Networking;  Travis  Berkley,  University  of  Kansas;  Jeffrey  Fritz, 
University  of  California,  San  Francisco;  James  Gaskin,  Gaskin 
Computing  Services;  Thomas  Flenderson.  ExtremeLabs;  Miercom, 
network  consultancy  and  product  test  center;  Christine  Perey, 
Perey  Research  &  Consulting;  Barry  Nance,  independent  consul¬ 
tant;  Thomas  Powell,  PINT.  Joel  Snyder,  Opus  One;  Rodney 
Thayer.  Canola  &  Jones. 
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ISCSI  vs.  Fibre  Channel:  The  battle  is  on 


BY  MIKE  KARP 

Today  and  next  week  we  will  look 
ahead  to  more  trends  that  we  are  likely 
to  see  in  the  New  Year.  At  this  point,  it  is 
time  to  make  the  obligatory  comments 
about  iSCSI  and  Fibre  Channel  storage- 
area  networks  . . .  and  about  something 
else  as  well. 

ISCSI  vs.  Fibre  Channel  has  been  an  off- 
again/off-again  battle  for  years  now. 
Originally,  the  two  were  supposed  to  lock 
horns  in  a  fight  for  the  corporate  IT  SAN 
space.  But  iSCSI  developed  slowly,  and  it 
became  obvious  that  the  battle  would 
come  about  later  rather  than  sooner. 

Then  it  looked  like  iSCSI  would  be¬ 
come  the  “SAN  for  the  everyman”,  a  less 
expensive  and  easier  to  use  format  that 
would  work  well  for  smaller  businesses 
and  departmental  needs  and  which 
would  leave  Fibre  Channel  products  to 
provide  for  the  high-end. 

Now  once  again  the  technology  sands 
have  shifted  beneath  our  feet  and  iSCSI 


—  mostly  riding  the  “powers  of  10”  incre¬ 
ments  that  Ethernet  provides  (going  from 
lOOM  to  IG  to  lOGbps)  —  is  now  chal¬ 
lenging  Fibre  Channel  in  the  area  of  per¬ 
formance,  and  typically  beating  it  when 
it  comes  to  price. 

Already  I  see  a  number  of  sites  running 
iSCSI  SANs  at  the  same  sites  that  house 
their  Fibre  Channel  ones,  and  device 
vendors  adding  iSCSI  connectivity  to 
their  high-end  offerings. 

At  the  same  time,  market  pressure  is 
nudging  down  the  price  of  Fibre 
Channel.  Increasingly,  decisions  about 
SAN  technology  are  being  made  along 
financial  lines  rather  than  just  being  dri¬ 
ven  by  what  technology  is  available.  So  at 
last  the  battle  is  on. 

Who  will  win?  That  may  turn  out  to  be 
irrelevant,  and  not  just  because  there  is 
plenty  of  business  out  there  for  both 
sides  of  the  war.  New  SAN  technology, 
one  that  requires  no  switches,  is  begin¬ 
ning  to  appear.  As  switches  often  repre¬ 


sent  a  substantial  part  of  the  SAN  envi¬ 
ronment,  this  approach  offers  the  poten¬ 
tial  to  seriously  reduce  the  cost-per-giga- 
byte  of  SAN  storage. 

Small  versions  of  a  switch-less  SAN  are 
available  in  consumer  products.  In  fact,  I 
am  running  one  now.  Don’t  be  put  off  by 
that  fact  that  this  has  such  “humble”  mar¬ 
ket  beginnings,  however. 

Remember  that  PCs  once  started  out  at 
the  bottom  of  the  computing  totem  pole, 
but  within  a  few  years  grew  in  power  to 
the  point  where  they  were  able  to  knock 
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off  all  those  expensive  RISC-based  engi¬ 
neering  workstations  where  we  once  did 
all  our  CAD  and  engineering  work. 

Remember  products  from  companies 
with  names  like  Ardent,  ComputerVision, 
Dana,  HR  SGI,  Stardent,  Sun,  and  my  old 
favorite,  Lundy?  Perhaps  not,  but  no  mat¬ 
ter.  The  point  is  that  once  these  powerful 
PCs  were  the  answer  to  99%  of  the  mar¬ 
ket’s  needs  and  once  the  software  ven¬ 
dors  caught  on  to  that  fact,  for  most  of 
these  vendors  it  was  bye-bye. 

If  the  scalability  is  what  the  vendors 
claim  it  to  be  for  these  switch-less  prod¬ 
ucts,  and  if  the  performance  scales  as 
well,  this  will  prove  to  be  a  truly  disrup¬ 
tive  technology.  These  are,  of  course, 
important  “ifs”,  but  keep  an  eye  out  for 
this.  I  sure  am. 

Karp  is  senior  analyst  with  Enterprise 
Management  Associates.  He  can  be 
reached  at  mkarp@enterprisemanage 
ment.com 
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The  UltraMatrix  Remote  represents  the  next  generation  in  KVM  switches  with  IP  access.  It 
provides  a  comprehensive  solution  for  remote  server  access  over  IP  and  local  as  well. 


■  KVM  RACK  drawers  WITH  KVM  SWITCH  OPTION 

RackViews  offer  the  latest,  most  efficient  way  to  organize  and  streamline  your 
server  rooms  and  multiple  computers. 

The  RackView  is  a  rack  mountable  KVM  console  neatly  fitted  in  a  compact  pull-out 
drawer.  This  easy-glide  KVM  drawer  contains  a  high-resolution  TFT/LCD  monitor,  a 
tactile  keyboard,  and  a  high-resolution  touchpad  or  optical  mouse. 


The  UltraMatrix  E-Series  represents  the  latest  in  KVM  matrix. switch  technology,  at  an 
affordable  price.  The  E-Series  allows  you  to  connect  up  to  256  .user  stations  to  as  many  as 
1,000  computers.  The  UltraMatrix  E-Series  is  available  in  several  sizes;<2x4,-2x8,  2x16, 
4x4,  4x8,  4x16,  1x8,  and  1x16  in  either  PC  or  multi-  platforrn.  , 
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Using  QoS  for  WAN  optimization 


BY  DENISE  DUBIE 

With  all  the  new  IP  applications 
traversing  wide-area  networks,  in¬ 
dustry  experts  speculate  that  past 
QoS  measures  need  to  be  bal¬ 
anced  against  WAN  optimiza¬ 


tion  and  application  accelera¬ 
tion  technologies. 

According  to  a  research  report 
by  Forrester  Research  analyst 
Robert  Whiteley  QoS  efforts  aren’t 
so  simple  when  it  comes  to  ensur¬ 


ing  the  performance  of  IP-based 
applications  over  the  WAN.  With 
advanced  traffic,  such  as  multi- 
media  applications  crossing  the 
lines,  previous  efforts  at  QoS 
could  be  foiled,  the  report  says. 


“QoS  is  a  necessary  —  and  often 
evil  —  component  for  multi-ser¬ 
vice  networks.  Its  goal  is  to  guar¬ 
antee  that  not  all  traffic  is  treated 
equally  Whiteley  states.“lt’s  impor¬ 
tant  to  note  that  QoS  is  not  a  tech- 
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N-TRON‘s®  9000  Series  Industrial  Ethernet  switch 
provides  superior  performance,  speed,  and  reliability. 
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noise  protection.  Providing  advanced  management 
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network  monitoring  and  integration),  N-TRON  gives 
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nology  but  rather  an  attribute  of 
your  network  defined  across 
many  technologies  like  routers, 
switches,  and  appliances.” 

He  details  how  QoS  helps  net¬ 
work  managers  first  marie  traffic 
by  classes  of  service  and  then 
shape  traffic  based  on  available 
bandwidth.  A  QoS-enabled  net¬ 
work  puts  traffic  into  various 
buckets  that  represent  classes  of 
service  (CoS).This  involves  distin¬ 
guishing  traffic  that  gets  top  prior¬ 
ity  down  to  that  traffic  with  less 
importance,  based  on  business 
needs  or  pre-set  policies.  Whiteley 
says  when  it  comes  to  differentiat¬ 
ing  traffic,  network  managers 
need  to  be  sure  not  to  get  too 
detailed  because  doing  that 
makes  QoS  “exponentially  harder 
to  administer” 

Secondly  traffic  shaping  works 
with  the  pre-set  buckets,  or  classes, 
of  traffic  to  “throttle  back  excess 
packets”  and  “prevent  one  particu¬ 
lar  class  from  hogging”  band¬ 
width.  The  main  difference 
between  CoS  and  shaping  is  the 
more  dynamic  nature  of  traffic¬ 
shaping  technologies,  from  ven¬ 
dors  such  as  Racketeer,  which  pro¬ 
vide  products  to  help  address 
bursting  traffic  loads. 

QoS  requires  ongoing  mainte¬ 
nance  and  attention,  Whiteley 
says.  “Every  time  a  company  adds 
a  new  enterprise  app,  touches  a 
significant  network  component,  or 
adds  and  subtracts  nodes  —  QoS 
must  be  revisited.  Similar  to  any 
network  policy  it  has  to  be  treated 
as  an  ongoing  project  subject  to 
audits  and  regular  refreshes.” 

Whiteley  advises  that  if  compa¬ 
nies  cannot  eliminate  QoS  in  their 
networks  they  should  opt  to  have 
it  performed  by  a  service  provider 
as  a  managed  service.  He  explains 
that  applications  often  perform 
worst  on  the  WAN,  so  there  isn’t  as 
pressing  a  need  to  implement 
QoS  on  the  LAN. 

“To  mitigate  the  WAN  complex¬ 
ity  Forrester  recommends  man¬ 
aged  service  providers  such  as 
AT&T  and  MCI,”  Whiteley  says.  ■ 
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Campus  creates  a  collaborative  IT  culture 

University  of  Md.,  Baltimore  CIO  Peter  Murray  discusses  how  he  achieved  that  goal. 


When  Peter  Murray  arrived  as  the  new 
CIO  for  the  University  of  Maryland, 
Baltimore  four  years  ago,  he  was  faced 
with  a  daunting  set  of  enterprisewide  IT 
projects  that  were  just  getting  underway 


There  was  no  formal  structure  for  effec¬ 
tively  organizing  and  deploying  these  pro¬ 
jects  across  the  UMB  campus’s  numerous 
IT  groups,  which  included  a  250-person 
central  IT  organization  as  well  as  local  IT 
units  in  the  university’s  schools  and  depart¬ 
ments,  the  highly  regarded  medical  center 
and  an  affiliated  organization  of  doctors. 

Network  World  Senior  Editor  John  Cox 
talked  with  Murray  to  find  out  how  he 
made  collaboration  possible.  What  follows 
is  an  edited  transcript  of  the  conversation. 

Network  World:  Why  did  the  university 
need  some  kind  of  special  effort  for  IT  col¬ 
laboration? 

Peter  Murray:  it’s  not  that  collaboration 
did  not  occur  before  1  arrived.  We  just  took 
it  to  another  level,  a  more  formal  level. 

It  was  recognized  that  the  response  to 
[enterprise  IT]  issues  was  disjointed;  it 
was  difficult  to  bring  the  key  IT  activities 
together,  define  them  in  common  plans 
and  make  them  work  across  the  various 
campus  organizations. 

NWW:  Wliat’s  a  concrete  example  of  the 
problems  you  encountered? 

Murray:  One  of  the  first  questions  I  got 
when  I  arrived  was  “what  e-mail  system 
do  you  want  to  use?”  And  I  said, “What  do 
you  mean?”There  were  21  separate,  dis¬ 
parate  e-mail  systems  in  operation  at 
UMB.  One  of  the  first  things  1  did  was  to 
create  a  task  force  to  tie  together  these 
systems  so  users  could  have  a  global 
address  lust  to  find  anyone  in  the  system 
and  send  them  an  e-mail  and  be  certain 
it  got  to  that  recipient. 

NWW:  You  refined  this  approach  in  coor¬ 
dinating  the  various  help  desks  around 
campus,  correct? 

Murray:  There  was  no  campuswide  help 
desk.Various  organizations  had  their  own.  1 
created  the  first  campus  help  desk,  hired 


people  to  staff  it  and  found  a  space  for 
them. Then  we  organized  formal  meetings 
of  a  task  force  composed  of  people  from 
the  various  local  help  desks. 

The  university’s  School  of  Medicine 
was  using  help  desk  software  Remedy. 
We  just  added  some  more  software 
licenses  to  that  for  the  campuswide 
desk.Through  Remedy,  we  collect  data 
on  what  are  the  most  common  ques¬ 
tions  and  problems  and  address  them. 
For  example,  we  knew  we  were  getting 
a  lot  of  questions  about  the  Apple 
Macintosh.  So  we  spun  off  a  Mac  users 
group.  We  realized  we  could  use  this 
same  approach  for  other  IT  initiatives. 

NWW:  How  did  you  flesh  out  this 
approach  to  collaboration? 

Murray:  What  l  did  was  to  create  formal 
structures  for  collaboration  (see  graph¬ 
ic).  We  had  the  IT  Steering  Committee 
already  in  place,  but  1  changed  the  whole 
composition.  Originally  it  was  mostly 
administrative  and  technical  people.  And 
it  wasn’t  really  focused  on  major  IT  goals, 
objectives  and  action. 

1  invited  faculty  and  non-lT  staff,  each 
one  able  to  represent  their  specific  area 
or  department.  Now  the  Steering 
Committee  touches  everyone  on  the 
campus.  It  meets  quarterly  and  we  talk 
about  updates  to  the  overall  IT  [strate¬ 
gic]  plan,  what’s  been  done  to  meet 
plan  objectives,  and  new  issues  that  are 
emerging.There’s  a  yearly  review  of  the 
entire  IT  plan,  deciding  what  are  the 
key  IT  issues,  priorities  and  action 
items. 

NWW:  :  How  are  these  action  items  actual¬ 
ly  tackled  in  this  new  model? 

Murray:  in  a  group  of  offshoot  commit¬ 
tees  or  task  forces.The  Steering  Committee 
is  in  the  center,  like  a  hub. Task  forces  are 


like  spokes  from  the  hub,  each  one  based  . 
on  a  separate  priority  For  something  like 
campuswide  wireless  or  IT  security  we  cre¬ 
ate  a  task  force  that  brings  together 
experts  drawn  from  all  the  groups  on  cam¬ 
pus  to  work  the  actual  project. 

NWW:  Do  the  various  local  IT  groups,  for 
the  schools  such  as  medicine  or  nursing, 
still  have  their  own  funding  and  planning? 

Murray:  These  IT  leaders  typically  are 
associate  deans  reporting  to  the  dean  of 
their  respective  schools.There  are  so  many 
activities  that  happen  in  a  school  or  other 
organization  that  it  wouldn’t  really  work  if  1 
had  to  make  decisions  on  expenditures, 
for  example,  in  all  those  areas. 

NWW:  You  applied  this  new  approach  in 
a  security  task  force.What  happened? 

Murray.  At  first  they  had  a  hard  time 
with  this  new  concept  of  collaboration. 
Their  initial  discussions  weren’t  very  pro¬ 
ductive.  They  struggled  with  the  language 
of  the  draft  policies,  with  who  should 


write  what,  and  how.  But  once  they  had 
the  first  one  or  two  drafts  of  the  policy 
completed,  it  really  picked  up  speed. 

N¥/W:  Why?  What  changed? 

Murray:  They  were  creating  a  core  group 
of  security  liaisons,  who  now  stay  in  touch 
all  the  time,  both  inside  and  outside  the 
task  force. They  were  working  together 


effectively  both  on  operational  issues,  such 
as  installing  a  new  release  of  Microsoft 
Windows  patches  or  a  looming  virus 
threat,  and  on  strategic  issues,  such  as 
introducing  a  new  IT  security  technology 

NWW:Did  this  shift  to  a  collaborative  IT 
model  lead  to  savings  or  downsizing? 

Murray:  We  have  had  some  savings,  but 
I’m  not  comfortable  trying  to  come  up 
with  a  single  dollar  amount  across  all  the 
organizations.  What  we  did  achieve  often 
was  cost  avoidance.  We  redefined  IT 
responsibilities,  moving  some  to  central  IT, 
and  freeing  up  more  time  and  resources 
for  the  local  IT  departments  at  the  various 
schools  or  other  campus  organizations  to 
concentrate  on  their  specific  user  con¬ 
stituencies.  In  some  departments,  this  was 
very  significant. 

NWW:  How  will  you  apply  this  connected 
collaborative  model  going  forward? 

Murray:  We  have  some  big  projects.  One 
is  a  "preaward  system”  for  our  researchers: 


Faculty  will  be  able  to  create  and  route 
research  proposals  to  various  funding 
agencies.  We’ll  be  expanding  our  [human 
resources]  self-service  capabilities  through 
the  Web.  We’re  just  starting  to  implement 
unified  messaging,  so  each  user  can  have 
voice  and  e-mail  messages  on  their  com¬ 
puters  or  IP-enabled  phones.  ■ 


Steering  Gommitee  structure 

The  University  of  Maryland  Baltimore's  IT  steering  committee  draws 
members  (both  IT  and  non-IT)  from  various  groups  to  set  universitywide 
priorities  within  a  strategic  plan.  It  creates  task  forces  to  craft  details  for 
projects  affecting  the  entire  university. 


When  servers  are  down  or  inaccessible,  you  need 
fast  and  reliable  out-of-band  access  and  control. 

Cyclades  AdaptiveKVM™  (patent  pending)  is  the  industry’s  first 
integrated  solution  that  combines  KVM  over  IP  and  Microsoft® 
Remote  Desktop  Protocol  (RDP)  technology  in  a  single 
appliance.  By  using  KVM  over  IP  combined  with  RDP, 
AdaptiveKVM  provides  continuous  access  for  remote  server 
management. 


Next-Generation  KVM  Solution 
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mate  Any  Environment 

Apcon  Intellapatch™  delivers  solutions  that  reduce  costs 
for  enterprise  and  test  lab  environments 


Enterprise: 

•  Reduce  packet  analyze^Hr 
and  monitoring  costs 

•  Centrally  control  and 
distribute  packet  analyzers 

•  Enable  100%  network  visibility 

•  Remotely  control 
physical  connectivity 
of  monitoring  device 


IntellaPatch™ 
Physical  Layer  Switches 


Test  Labs: 

•  Automate  networking  and 
software  test  labs 

•  Instantly  reconfigure  test  lab 
topologies 

•  Decrease  testing  time  and  cost 

•  Decrease  product  time 
to  market 


For  the  full  IntellaPatch  story,  click  www.apcon.com  or  call  1.800.624.6808. 


Solutions  for  Networks 


What's  on  your 

Network? 

Find  out  with  NetSupport... 


Centrally  Discover,  Support  and 
Manage  your  Systems.  Anywhere. 


Do  you  know  where  your  oldest  computer  is?  Need  to  locate  and  upgrade  your 
Windows  98  systems?  Are  you  overpaying  on  unused  software  iicenses?  Which 
empioyees  are  spending  the  most  time  surfing  the  web?  Find  out  fast  with 
NetSupport  DNA. 


Managing  your  company's  IT  assets  means  more  than  just  selection  and 
maintenance.  Reporting,  inventory,  deployment  and  forecasting  are  also  part  of  the 
job.  NetSupport  DNA  is  an  easy  to  use  IT  asset  management  solution  that  provides 
you  with  the  tools  you  need  to  get  to  know  your  network. 


Unlike  other  solutions,  NetSupport  DNA  does  not  require  certified  training  or  have  a 
complex  implementation  path.  It  offers  all  of  the  functionality  you'd  expect  from  an 
award  winning  asset  management  suite,  but  with  only  a  30  minute  implementation 
path. 


NetSupport  DNA  combines  powerful  hardware  and  software  inventory  with  software 
distribution,  application  and  internet  metering,  pc  remote  control,  enterprise 
reporting  and  a  web-based  help  desk  solution. 


NGiTSUPPORT 

□  NA^‘=^ 

NetSupf:^:^^ 


visit 'wiww.netsortl'ortTinc. com  and  download  a  full  trial  license  today.  Sales:  1-888-665-0808 

And  in  30  minutes^^start  viewing  your  vital  Asset  Information.  www.netsupport-inc.com 


Hitting  a  wall  with  your  current  sniffer? 
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Break  through  with  Observer  1 1 .  Now  with  enterprise  strength  VoIP  analysis.  New  features  include  an  enhanced 
VoIP  Expert,  Quality  Scoring,  Call  Detail  Records,  MultiHop  Analysis,  and  64-bit  Windows  support  It's  time  to  reset  your  analyzer. 


NE1W0RK 

INSTRUMENT 


Wired  to  wireless,  LAN  to  WAN.  One  network  -  complete  control. 


US  &  Canada  UK  &  Europe 

toll  free  800.526.5958  +44  (0)  1 959  569880 

www.networkinstruments.com/analyze 


enhanced  VoIP  support 
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How  Do  You  Distribute 
Power  in  Your  Data 
Center  Cabinet? 


With  Sentry! 

CDU  Product  Family:  Metered,  Smart  &  Switched 

The  Sentry  CDU  distributes  power  for  Blade  servers  or  up  to  42  dual 
power  1U  servers  in  one  enclosure.  Single  or  3-phase  input  with 
110VAC,  208VAC  or  mixed  110/208VAC  single-phase  outlet  receptacles. 


Metered  CDU 

>  Local  input  Current  Monitoring 
Smart  CDU 

>  Local  Input  Current  Monitoring 

>  Supports  External  Temperature  and 
Humidity  Probes 

>  IP  Monitoring  of  Power  Temperatures 
and  Humidity 

Server  Technology 

-  ^  Data  Ce'^tfr  Ecu  Cap-net 

S«wr  Tecri'oloc;  Inc.  tcH  fie«  ^1.805. 835.1 51 5 
1040  Sandn.li  Dnve  tel  »1.775.2S1,2000 

Re-C  NV  89521  -USA  fax  +1 775  284,2065 
v.’.r,'.  sewtecS  cc"-  salesifservertecti  com 


Switched  CDU 

>  Local  input  current  Monitoring 

>  Supports  External  Temperature  and 
Humidity  Probes 

>  IP  Monitoring  of  Power,  Temperatures 
and  Humidity 

>  Remote  Power  Control  of  Each  Outlet 
—  On  /  Off  /  Reboot 


ONE  PHONE  SYSTEM 

for  many  branch  offices 


EXTend  your  PBX  to  any 
remote  location  with: 


conoiuoications 


A  Citel  Company 


Seamlessly  connect  remote  sites  to  your  main  PBX  over  Tl,  IP, 
ISDN,  Frame  Relay,  Cable  Modem,  DSL.  Compatible  with:  Norstar, 
Meridian,  Definity,  Panasonic  DBS,  Toshiba,  NEC. 


Tl  or  IP 


OFFICE 

CORPORATE  OFFICE 


CSU/DSU 


EXTender 


6000 


PHONES 


PERFECT  FIT  FOR  BRANCH  OFFICES, 
TELECOMMUTERS,  MOBILE  EMPLOYEES 

New,  Refurb,  Installation,  Support 


RICKE 


IMD/\L-lvtix|  f^O’l 

_ Ic  . ;  ma.n-  rs 


communicatfons 


:  plm^K 


o 

To 


C3 


r\ 


LL' 

QZ 

<=L 


f 


TAP  Into  Your  Network 


Only  a  TAP  can  provide  a  complete  copy  of  data  from  full-duplex  links  at  line  rate  for 
monitoring  devices.  Without  a  TAP,  a  monitoring  device  may  be  fed  incomplete  and 
misleading  information-creating  false  positives  and  overlooking  network  problems 
that  actually  do  exist.  Visit  www.networkTAPs.com/visibility  today. 


Copper nTAPs 

10/100 . $395 

10/100/1000 . .5995'.....$795 


Copper  to  Optical 
Conversion  nTAPs 

SXorLX . $1,495 


Optical  nTAPs 

One-Channel . .539$^  ....$295 

Two-Channel . .579(f....$575 

Three-Channel  ....$W«^  ....$845 


To  learn  more  about  how  nTAPs  can  boost  your  network  visibility,  which  configuration  option 
is  best  for  you,  and  to  check  out  new  pricing  go  to  www.networkTAPs.com/visibility 
or  call  866-GET-nTAP  today.  Free  overnight  delivery.* 
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•Free  overnight  delivery  on  ail  U.S.  orders  over  $295  confirmed  before  12  p.m.  Central  Time. 
nlAP  and  all  associated  logos  are  trademarks  or  registered  trademarks  of  Network  Instruments.  LLC. 
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Monitor  the  REST  of  your  Computer  Room! 


Water  on  the  Floor 

Temperature 

Power  Problems 

Security 

Smoke  and  Fire 

Humidity 

Video 

And  much  more 


Sends  Monitors  Embedded 

SNMP  64  Web 

Messages  IP  addresses  Server 


Sends 

EM«il 


Power 

Outage 

Alarming 


Internal 

UPS 


• 

• 

Dealers  Wanted 


Internal  Voice. 
Power  EtheVnet  Modem 
Control  Port  fii  Pager  Port 
Interface 


Sensor  Inputs 
(Ttmp^turt,  Hurrudiy, 
Water.  Morton.  Power, 
SmoAe/flre/ 
Expandable 


Microphone 

for  Sound 
Monitoring 


Terminal  server  vendors,  who  proclaim  that 
they  have  Secure  Out  Of  Band  products,  rely 
on  RADIUS,  TACACS+  and  other  in-hand 
protocols  to  provide  security.  By  inference, 
they  imply  they  secure  out  of  hand  access 
when,  in  fact,  they  offer  only  network  security, 
which  conflicts  with  out  of  hand  access. 


A  true  Secure  Out  of  Band  Management 
solution  should  provide  strong  security  without 
reliance  upon  network-hased  protocols. 


CDI  offers: 

•  Hardware  encryption  over  dial-up 
and  network  connections 

•  RSA  certified  SecurlD  authentication 
without  a  network. 

•  Patented  central  management  of  all 
remote  devices 


Full  NIST,  FIPS  140-2  certifications 

Remote  Power  control  •-n 

Homologous  world-wide  approved 
internal  modems 


CDI  has  been  building  encryption  equipment  for  over  fifteen  years.  Our  customers  and  partners  include 
major  financial  institutions,  government  agencies,  major  telcos,  utilities,  and  the  United  States  military. 


Communication  Devices  Inc. 
www.outofbandmanagement.com 


D-Series  -  Cost  Effective  Server  Racks 

Designed  to  pfovide  housing  for  sefvefs,  hubs,  routers  and  network  equipment, 
along  with  structured  cabling  components,  these  enclosuies  provide  a  highly 
attractive  profile  in  a  robustly  constructed  cabinel  770-496-4000 


www.optimaeps.com 


Optima  EPS 
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For  the  latest  and  most 
in-depth  information  on 
network  IT  products  from 
these  companies  and  more, 

go  to  VENDOR  SOLUTIONS 

wvvw.networkworkl.c()mAendorsok^^ 
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Network  World  Events  and  Executive 
Forums  produces  educational  events 
and  executive  forums  worldwide, 
including  our  one  day  Technology  Tours, 
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offerings,  call  us  at  8(X)-643-4668  or  go  to  www.networkworld.com/events. 
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Chambers 

continued  from  page  12 

Cisco. Ttiey  actually  pu.shed  us  to  move  dramatically  faster  in  the 
application  area. So  its  moved  from  a  transport  mentality  to  some¬ 
thing  they  want  dramatically  more  out  of  in  a  shorter  time  period,  and 
at  the  same  time  how  do  they  control  the  costs  with  it. 

What's  your  take  on  how  significant  a  competitor  Juniper  is  in  the  enterprise? 

We  do  not  set  our  strategy  around  what  our  competitors  do.  We  try 
to  get  the  market  transitions  right  and  we  listen  to  what  the  customers 
like.  And  then  we  listen  to  what  the  customers  like  about  our  competi¬ 
tors  or  not.  But  we  try  to  get  the  market  transitions  right.  So  within  the 
enterprise,  if  we’re  right  on  data/voice/video  convergence,  the  role 
security  will  play  in  that, switching  combining  with  routing  and  the 
other  elements,  then  for  companies  who  come  at  us  with  a  product  or 
two  it  will  be  very  challenging.  Many  of  the  companies  waited  too 
long.  A  lot  was  written  two  years  ago  about  how  effective  some  com¬ 
panies  would  be  in  the  enterprise  marketplace.  [Juniper]  announced 
their  access  router  way  ahead  of  us.  We  have  had  tremendous  success 
in  the  access  routing  segment  where  they  have  not.  It’s  hard  to  move 
into  new  markets 

In  each  of  our  product  areas,  there’s  a  different  No.  1 , 2  or  3  potential 
competitor.  We  made  a  decision  five  years  ago  plus  that  we  felt  that 
the  [network  markets]  would  blur.  None  of  our  peers  followed  that.  If 
we’re  right  on  that,  it’s  going  to  be  really  difficult  for  them  to  meet  us. 

So  would  it  be  fair  to  say  you  consider  Juniper  a  point  product  competitor 
but  not  a  strategic  competitor? 

It  would  be  fair  to  say  that  most  of  the  players  in  the  industry  are  pri¬ 
marily  point  product  competitors,  and  their  ability  to  move  beyond 
one  or  two  products  has  not  occurred.  We’ll  see  how  that  goes  moving 
forward.  Alcatel  has  taken  an  interesting  approach  in  that  they’re 
going  to  be  the  systems  integrators.  We’ll  see  how  the  market  plays 
out.  But  it’s  hard  to  become  a  leader  in  more  than  one  product  area. 

A  fair  amount  of  your  marketing  right  now  is  targeted  to  business  execu¬ 
tives.  Isn't  this  a  critical  time,  with  all  of  the  initiatives  under  way,  to  be 
talking  more  to  the  IT  person  than  to  the  business  person  who  probabiy 
doesn't  understand  these  concepts? 

No.  Because  a  lot  of  CIOs,  directly  or  indirectly  ask  you  to  help  them 
understand  what  this  can  mean  to  the  business  and  why  Cisco  brings 
a  unique  [perspective] .  So  if  you  believe  that  business  strategy  would, 
at  a  minimum,  be  enabled  by  networked  IT  —  and  I  am  now  begin¬ 
ning  to  believe  that  networked  IT  may  actually  change  business  strate¬ 
gy  —  you’ve  got  to  educate  the  business  user  on  what  is  capable  and 
get  them  to  understand  that  when  you  think  about  a  Cisco  IP  phone, 
you  aren’t  just  thinking  about  replacement  of  your  prior  phone. 
You’re  thinking  about  integrated  data,  voice  and  video. You’re  think¬ 
ing  also  about  total  cost  of  ownership. You’re  talking  about  flexibility 
in  communications,  about  how  you  communicate  among  your¬ 
selves,  with  your  peers. You’re  thinking  architecture.  So  you  want 
them  to  think  of  us  in  that  way  whether  it’s  the  CFO  who  has  to 
approve  us  for  a  20%  price  premium  vs.XYZ  company  or  the  busi¬ 
ness  leader  who  has  to  choose  between  adding  200  sales  reps  or 
another  physical  branch  to  spending  money  on  the  network.  Same 
thing  with  the  data  center.  We’re  sending  messages  both  to  the  CIO 
but  also,  with  our  usual  humor,  to  the  CEO  that  Cisco’s  very  uniquely 
positioned  to  provide  security  It’s  the  balance  of  the  two  messages.H 
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Group  policy  vendors  adding 
better  control  to  their  wares 


Policy  makers 


Special  Operations  Software  and  DesktopStandard  are 
adding  to  their  wares  for  providing  extensions  to  Microsoft's 
Group  Policy  management  technology,  which  is  part  of 
Active  Directory. 

Vendor  Software  Description  Available 

Special  Operations  Specops  Password  Allows  for  multiple  password  Now 

Software  Policy .  configurations  per  Active 

Directory  domain. 

DesktopStandard  PolicyMaker  Change  Three  extensions  to  group  First  half 

Management  policy;  software  deployment, ,  of  2006 

update  and  inventory. 


BY  JOHN  FONTANA 

Desktop  and  server  manage¬ 
ment  vendor  Special  Operations 
Software  this  week  plans  to  re¬ 
lease  an  extension  to  Microsoft’s 
Group  Fblicy  technology  that  lets 
administrators  tighten  network 
security  by  controlling  the 
strength  of  passwords  assigned  to 
individuals  or  groups  of  users. 

Another  vendor,  DesktopStan¬ 
dard,  says  later  this  year  it  will 
ship  two  extensions  to  Group 
Fblicy  for  change  management 
that  focus  on  software  deploy¬ 
ment  and  inventory 

Microsoft’s  Group  Fblicy  which  is 
supported  on  Windows  2000,  XP 
and  Windows  Server  2003,  lets 
administrators  centrally  manage, 
customize  and  lock  desktop  and 
server  settings  based  on  a  set  of 
policies  maintained  in  the  directo¬ 
ry  Administrators  can  do  anything 
from  tuning  security  settings  to 
preventing  end  users  from  making 
changes  to  their  desktops. 

“There  is  a  lot  you  can  do 
because  an  object  exists  in  a 
director}^’  says  Scott  Crawford,  an 
analyst  with  Enterprise  Manage¬ 
ment  Associates.“In  principal,  any 
object  in  a  directory  can  be  given 
any  attributes  that  you  want  to 
give  it.  Group  Policy  is  taking  more 
advantage  of  the  capabilities  that 
Active  Directory  has  to  offer’’ 

With  Specops  Password  Policy 
Special  Operations  is  eliminating 
the  limitation  in  Active  Directory 
requiring  that  the  same  password 
policies  apply  to  every  user  in  a 
domain.  That  means  all  users 
adhere  to  the  same  rules  on  how 
a  password  is  constructed,such  as 
requiring  the  use  of  numbers  and 
letters,  and  on  what  cycle  it  must 
be  changed. 

Password  Policy  gives  admin¬ 
istrators  the  ability  to  apply  pass¬ 
word  policies  based  on  group 
membership,  organizational  unit 
and  individual  user  accounts.  CEO 
and  IT  administrators  managing 
many  systems  can  have  a  very 
complex  password  construction 
that  is  difficult  to  hack,  while  regu¬ 
lar  end  users  can  have  something 
that  is  easier  to  remember  but 
potentially  less  secure.  Fbssword 
Fblicy  also  extends  the  options  for 
constructing  a  complex  password 
and  defines  the  complexity  rules  a 
password  must  meet. 


The  software  requires  the  instal¬ 
lation  of  a  Dynamic  Link  Library 
on  a  Microsoft  domain  controller, 
which  is  used  to  run  Active 
Directory  to  support  the  password 
extension.  It  also  includes  a  snap)- 
in  for  the  Microsoft  Management 
Console  and  an  option  to  install 
client  software  that  displays  a  dia¬ 
log  box  on  a  user  desktop  with  an 
explanation  on  how  to  construct 
a  password. 

Special  Operations  plans  to  fol¬ 
low  Password  Policy,  which  is 
priced  at  $1,200  per  domain  and 
$3  per  user,  with  another  Group 
Fblicy  extension  called  Specops 
Inventory,  which  will  ship  in 
March.  The  extension  is  focused 
on  asset  management. 

Rival  DesktopStandard  also 
plans  to  ship  a  new  product  in  its 
FblicyMaker  line  of  Group  Fblicy 
extensions  called  Change 
Management  that  focuses  on  soft- 
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ware  deployment  and  inventory 
“Microsoft’s  Group  Fblicy  system 
offers  deployment  natively  but  it  is 
limited,’’  says  Eric  Voskuil,  CTO  of 
DesktopStandard. 

Change  Management  will  in¬ 
clude  options  for  scheduling  and 
bandwidth  throttling  in  the  de¬ 
ployment  extension.  Tlie  invento¬ 
ry  tool  will  tie  in  with  Desktop- 
Standard’s  Dragnet  reporting  tool 
to  collect  inventory  data  from  net¬ 
work  desktops  and  servers.  The 
company  also  plans  to  integrate 
its  Dragnet  reporting  software 
with  all  the  extensions  in  its 
FblicyMaker  lineup  and  those 
offered  natively  from  Microsoft. 

Pricing  for  Change  Manage¬ 
ment  has  not  been  announced.  ■ 
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Small  I.  T.  department  facing  big  demands?  A  PC-based  network  can 
only  take  you  so  far.  Enter  the  IBM  eServeP“  xSeries'^  100  Express. 

It’s  more  robust  More  available.  More  functional.^  Not  only  is  it 
designed  to  help  increase  productivity  and  lower  your  computing 
costs,  you  can  also  expand  your  capabilities  as  your  I.  T.  needs 
evolve.^  Plus  it’s  easy  to  install,  thanks  to  IBM  ServerGuide™ 

What's  more,  you  can  keep  your  technology  current  while  helping  to 
reduce  costs  through  IBM  Global  Financing. 


The  xlOO  Express  comes  with  Inter  reliability 
more.  Why  not  put  it  to  work  for  you? 


and  a  whole  lot 


IBM  eServerxSeries®100  Express 


Affordable,  reliable,  easy  to  manage:  xSeries  servers  with  Intel®  Pentium®  Processors 

Intel*  Pentium*  4  Processor  and  Pentium  D  (dual  core)  Processors 
One-way  tower 


Up  to  500GB  of  storage  with  2  SATA  hard  disk  drives^ 


Pentium*4^ 

^  ^  inside^'". 


From  $709*  (Other  configurations  as  low  as  $599) 
ServerGuide:  for  easy  systems  setup  and  configuration 


ECC  error-correcting  memory  for  critical  server  data  protection 
Limited  warranty;  1  year  on-site"' 


IBM  BladeCenter®  HS20  Express 

From  $1,839*  (Other  configurations  as  low  as  $1,669) 

IBM  Financing  Advantage  Only  $52/maith6 

Up  to  two  Intel*  Xeon*  Processors  3.80GHz/2MB  IBM  Director  to  help  monitor  usage/performance'’ 

Up  to  14  blades  per  chassis _ Limited  warranty:  1  year  on-site"’ 

Supports  both  32-  and  64-bit  applications 


IBM  TotalStorage®  DS400  Express 

From  $8,495*  (Other  configurations  as  low  as  $4,995) 

IBM  Financing  Advantage  Only  $238/months 

rack  mount  entry-level  with  up  to  two  controllers  Starts  at  34GB/  scales  to  12TB^ 
2GB  Fibre  Channel  host  connectivity  Limited  warranty:  1  year  on-site"* 


“Double  Your  Memory”  at  no  additional  cost.  Now  get  double  your  memory  at  no  extra  charge  when  you  purchase  select  IBM  eServer  xSeries 
and  BladeCenter  Express  systems  only  through  ibm.com  by  March  13,  2006.' 
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BMSPIN 


Mark  Gibbs 


ast  week  I  screwed  up 
when  I  cited  problems 
Bill  Gates  had  with  an 
onstage  demo  at  the 
International  Consumer 

Electronics  Show. Turns  out  that  happened  in  2005,  not  at 
the  recent  CES.As  1  now  understand  it,  Gates’  latest  demo 
went  off  without  a  hitch.  My  apologies.  I’ll  beat  myself  with 
a  wet  copy  of  Network  World  as  soon  as  1  stop  typing. 

1  do,  however,  stand  by  the  main  contention  of  that  origi¬ 
nal  piece:  that  the  digital  lifestyle  will  remain  fabulously 
irrelevant  until  it  can  deliver  something  other  than  ever- 
more-exotic  and  less  reliable  ways  to  consume  the  same 
old  content.  I’ve  had  some  interesting  responses  to  the 
topic  that  we’ll  discuss  in  a  future  column. 

This  week  1  want  to  examine  being  annoying  online.  On 
Jan.  5  President  Bush  signed  into  law  the  Violence  Against 
Women  and  Department  of  Justice  Reauthorization  Act. 
This  admirable  bill  has  become  the  focus  of  much  com¬ 
mentary  because  of  a  single  provision  that  can  be  cre¬ 
atively  interpreted  as  making  it  illegal  to  use  the  Internet 
to  be  anonymously  annoying. 

Various  pundits  and  columnists  who  shall  remain  name¬ 
less  jumped  on  this  bill  with  wild  abandon,  but  alas  for 
these  journalists,  it  seems  that  this  interpretation  was  not 
at  all  accurate. 


Mistakes  and  annoyances 

L 


The  anonymous-harassment  provision  is  part  of  a 
statute  that  1  understand  was  part  of  the  Communica¬ 
tions  Act  of  1934  and  intended  to  address  the  problem 
of  crank  calling  (feel  free  to  correct  me  if  1  have  been 
misled). This  provision  was  modified  to  include  new 
communications  technologies  for  the  Communications 
Decency  Act,  so  the  issue  of  online  annoyance  is  already 
covered,  and  the  provision  in  the  Violence  Against 
Women  Act  is  simply  redundant. 

But  the  idea  of  being  able  to  sue  someone  for  being 
annoying  online  is  interesting. Whom  would  we  go  after? 

First,  there  are  the  owners  of  badly  designed  commer¬ 
cial  Web  sites  —  they’re  annoying.  Consider  Cingular:  If 
you  (like  me)  were  an  AT&T  Wireless  victim,  er,  customer, 
and  you  and  your  family  tried  to  upgrade  your  cell 
phones  on  the  Cingular  Web  site,  it  would  send  you  to  log 
on  to  the  shattered  remains  of  the  AT&T  site.  There  you 
would  answer  questions  only  to  have  it  tell  you  that 
because  you  have  multiple  lines,  you  have  to  go  to  a 
Cingular  dealer  or  call  its  customer  disservice  depart- 
ment.That’s  really  annoying. 

How  about  people  who  send  badly  written  e-mail?  The 
folks  whose  caps  lock  key  appears  to  be  stuck  or  who 
have  never  heard  of  a  spell-checker  or  who  use  weird 
fonts  in  bizarre  colors  against  hideous  backgrounds? 

Or  how  about  the  new  spammers,  the  politicians? 


Recently  Charlie  Crist,  Florida’s  attorney  general,  got  lots 
of  positive  press  over  his  aggressive  anti-spam  laws, 
which  mandate  a  $500  fine  for  every  e-mail  a  violator 
sends.  But  now  that  Crist  is  running  for  governor,  he 
seems  to  think  he  can  send  out  unsolicited  e-mail  and, 
because  he’s  a  politician,  it  isn’t  spam.  In  December 
Crist  e-mailed  tens  of  thousands  of  state  residents  to 
promote  his  candidacy  and  solicit  donations  for  his 
campaign. 

Recipients  who  tried  to  unsubscribe  found  they  couldn’t 
do  it.  According  to  a  Reuters  story, Vivian  Myrtetus,a 
spokeswoman  for  Crist’s  gubernatorial  campaign, said, 
“This  is  not  spam.This  is  truthful,  it’s  straightforward.  We’re 
honest.To  be  spam  it  has  to  be,  under  Florida  law,  defined 
as  being  deceptive.  The  attorney  general  does  not  con¬ 
sider  this  spam  and  is,  as  you  know,  at  the  forefront  of 
protecting  citizens  against  that.” 

Crist  isn’t  the  only  political  spammer  out  there,  and  it  is 
just  going  to  get  worse. 

1  was  going  to  list  a  few  more  annoyances,  but  the  prob¬ 
lem  is  we’ll  never  have  a  nice  tidy  Internet.  It  will  always 
be  messy  chaotic  and  dynamic,  and  it  is  all  the  better  for 
it.  Anyway  if  being  annoying  online  were  punishable,  1 
wouldn’t  be  writing  this  column. 

Annoy  me  at  backspin@gibbs.com. 
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News,  insights  and  oddities 


Did  you  hear  who’s  been  in  Redmond? 


Paul  McNamara 


Internet-driven  rumors  can  be  a  hoot —  unless,  of 
course,  you’re  the  one  caught  under  the  wheels.Thanks 
to  tools  such  asTechnorati  and  Google  News,  today  it's 
possible  to  actually  watch  a  whopper  unfold  over  the  course  of  a  few  days. 

Perhaps  you  too  caught  this  giggler  last  week;  Steve  Ballmer  is  soon  to  be  out  as 
CEO  of  Microsoft  —  and  his  replacement  will  be  a  certain  former  president  of  the 
United  States. . . .  No,  it’s  not  Gerald  Ford.  c 

William  Jefferson  Clinton  has  been  spotted  at  Microsoft  headquarters  multiple 
times  in  recent  months  "and  has  been  interviewing  for  the  top  slot  as  the  company 
looks  at  ways  to  transform  themselves  for  the  future,”  Andy  Abramson  wrote  Jan.  6 
on  his  blog  called  "VoIP  Watch,”  a  platform  that  has  helped  gain  Abramson  enough 
notoriety  as  a  VoIP  expert/pundit  to  be  quoted  in  The  Wall  Street  Journal,  Financial 
Times  and  San  Jose  Mercury  News,  among  a  host  of  other  media  outlets. 

Abramson  also  co-hosts  with  Ken  Rutkowski  the  daily  WorldTech  Round  Up  on 
KenRadio.com,  billed  as  "the  Internet’s  longest-running  technology  news  broadcast” 
and  the  forum  where  this  rumor  first  took  flight. 

As  you  might  expect,  the  Clinton-for-Ballmer  speculation  shot  _ 

around  the  blog  vine  like  the  latest  on  Nick  and  Jessica  (both  of  whom 
are  said  to  be  in  line  for  key  Jobs  in  Redmond  once  Ballmer  bails  and 
Clinton  takes  over,  I  am  told).  A  mention  of  the  Clinton  rumor  in  the 
Mercury  News’  widely  read  “Good  Morning  Silicon  Valley”  newsletter 
guaranteed  that  this  one  would  have  gums  a-flappin’  far  and  wide. 

So  I  had  to  call  Abramson  to  find  out  if  he  was  serious,  fully  believ¬ 
ing  he’d  tell  me  that  "the  rumor”  was  half  idle  speculation,  half  light¬ 
hearted  radio  schtick. 

Here’s  what  I  got  instead:  “They  want  him  and  he  wants  to  be  there.” 

Don’t  ask  me  how  I  managed  not  to  laugh. 

Now  to  be  fair,  Abramson  also  allows  that  his  sources  speculate 
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that  Microsoft  may  be  wooing  Clinton  to  join  its  board  of  directors,  or  that  Bill  C. 
and  Bill  G.  could  be  putting  their  heads  together  on  one  of  their  respective  philan¬ 
thropic  efforts  (ding,  ding,  ding).  Yet  Abramson  assures  me  that  his  reporting  of  the 
Juiciest  prospect  —  Ballmer  out,  Clinton  in  —  has  elicited  largely  thoughtful  replies 
from  listeners,  readers  and  other  bloggers  —  including  some  within  Microsoft:  “No 
one  has  said,  ‘What  kind  of  pipe  are  you  smoking?"’ 

Allow  me  to  be  first  then:  What  is  in  that  pipe,  Andy? 

No  matter  what  they  may  be  mumbling  around  water  coolers  in -Redmond,  there  is 
no  more  chance  of  Bill  Clinton  becoming  CEO  of  Microsoft  than  there  is  of  me 
catching  Jessica  on  the  rebound.  Never  say  never?  Nonsense!  Never,  never,  never. 

I  could  cite  a  hundred  good  reasons  why  this  Clinton  fantasy  is  inconceivable,  but 
doing  so  might  give  the  impression  that  1  consider  the  matter  an  open  question. 
Suffice  to  say  that  ex-presidents  do  not  trundle  back  to  the  private  sector  hat  in 
hand.  It’s  undignified,  even  for  an  ex-president  who  in  the  past  has  seemed  not  to 
understand  the  meaning  of  that  word. 

None  of  which  is  to  say  that  the  what-ifs  aren’t  great  sport. 

_  Example:  A  close  friend  of  mine  writes  about  business  for  a  metro¬ 
politan  daily  newspaper.  We’re  both  political  Junkies,  so  last  week  we 
found  ourselves  debating  via  e-mail  whether  Bill  Clinton  being  on  the 
Microsoft  board  would  help  or  hurt  Hillary  Clinton’s  expected  White 
House  run  (even  though  neither  of  us  puts  a  penny’s  worth  of  stock  in 
the  rumor).  My  friend  said  it  would  help,  by  bolstering  Hillary’s  pro¬ 
business  credentials.  I  said  it  would  hurt,  because  carrying  Bill  C.'s 
baggage  out  on  the  campaign  trail  will  be  challenge  enough  without 
Hillary  also  having  to  lug  Bill  G.’s. 

Work  time  well  spent?  . .  .You  decide. 


All  rumors  are  always  welcome  here.  The  address  is  buzz@nww.com. 
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